1#! /usr/bin/env python 2 3# Copyright (C) 2017 Alessio Deiana <adeiana@gmail.com> 4# 2017 Alexis Sultan <alexis.sultan@sfr.com> 5 6# This file is part of Scapy 7# Scapy is free software: you can redistribute it and/or modify 8# it under the terms of the GNU General Public License as published by 9# the Free Software Foundation, either version 2 of the License, or 10# any later version. 11# 12# Scapy is distributed in the hope that it will be useful, 13# but WITHOUT ANY WARRANTY; without even the implied warranty of 14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15# GNU General Public License for more details. 16# 17# You should have received a copy of the GNU General Public License 18# along with Scapy. If not, see <http://www.gnu.org/licenses/>. 19 20# scapy.contrib.description = GTPv2 21# scapy.contrib.status = loads 22 23import time 24import logging 25 26from scapy.packet import * 27from scapy.fields import * 28from scapy.layers.inet import IP, UDP 29from scapy.layers.inet6 import IP6Field 30from scapy.compat import orb 31 32import scapy.contrib.gtp as gtp 33 34RATType = { 35 6: "EUTRAN", 36} 37 38GTPmessageType = {1: "echo_request", 39 2: "echo_response", 40 32: "create_session_req", 41 33: "create_session_res", 42 34: "modify_bearer_req", 43 35: "modify_bearer_res", 44 36: "delete_session_req", 45 37: "delete_session_res", 46 70: "downlink_data_notif_failure_indic", 47 170: "realease_bearers_req", 48 171: "realease_bearers_res", 49 176: "downlink_data_notif", 50 177: "downlink_data_notif_ack", 51 } 52 53IEType = {1: "IMSI", 54 2: "Cause", 55 3: "Recovery Restart", 56 71: "APN", 57 72: "AMBR", 58 73: "EPS Bearer ID", 59 74: "IPv4", 60 75: "MEI", 61 76: "MSISDN", 62 77: "Indication", 63 78: "Protocol Configuration Options", 64 79: "PAA", 65 80: "Bearer QoS", 66 82: "RAT", 67 83: "Serving Network", 68 86: "ULI", 69 87: "F-TEID", 70 93: "Bearer Context", 71 94: "Charging ID", 72 95: "Charging Characteristics", 73 99: "PDN Type", 74 114: "UE Time zone", 75 126: "Port Number", 76 127: "APN Restriction", 77 128: "Selection Mode", 78 161: "Max MBR/APN-AMBR (MMBR)" 79 } 80 81CauseValues = { 82 16: "Request Accepted", 83} 84 85 86class GTPHeader(Packet): 87 # 3GPP TS 29.060 V9.1.0 (2009-12) 88 # without the version 89 name = "GTP v2 Header" 90 fields_desc = [BitField("version", 2, 3), 91 BitField("P", 1, 1), 92 BitField("T", 1, 1), 93 BitField("SPARE", 0, 1), 94 BitField("SPARE", 0, 1), 95 BitField("SPARE", 0, 1), 96 ByteEnumField("gtp_type", None, GTPmessageType), 97 ShortField("length", None), 98 ConditionalField(IntField("teid", 0), 99 lambda pkt:pkt.T == 1), 100 ThreeBytesField("seq", RandShort()), 101 ByteField("SPARE", 0) 102 ] 103 104 def post_build(self, p, pay): 105 p += pay 106 if self.length is None: 107 l = len(p)-8 108 p = p[:2] + struct.pack("!H", l) + p[4:] 109 return p 110 111 def hashret(self): 112 return struct.pack("B", self.version) + self.payload.hashret() 113 114 def answers(self, other): 115 return (isinstance(other, GTPHeader) and 116 self.version == other.version and 117 self.payload.answers(other.payload)) 118 119 120class IE_IPv4(gtp.IE_Base): 121 name = "IE IPv4" 122 fields_desc = [ByteEnumField("ietype", 74, IEType), 123 ShortField("length", 0), 124 BitField("CR_flag", 0, 4), 125 BitField("instance", 0, 4), 126 IPField("address", RandIP())] 127 128 129class IE_MEI(gtp.IE_Base): 130 name = "IE MEI" 131 fields_desc = [ByteEnumField("ietype", 75, IEType), 132 ShortField("length", 0), 133 BitField("CR_flag", 0, 4), 134 BitField("instance", 0, 4), 135 LongField("MEI", 0)] 136 137 138def IE_Dispatcher(s): 139 """Choose the correct Information Element class.""" 140 141 # Get the IE type 142 ietype = orb(s[0]) 143 cls = ietypecls.get(ietype, Raw) 144 145 # if ietype greater than 128 are TLVs 146 if cls is Raw and ietype > 128: 147 cls = IE_NotImplementedTLV 148 149 return cls(s) 150 151 152class IE_EPSBearerID(gtp.IE_Base): 153 name = "IE EPS Bearer ID" 154 fields_desc = [ByteEnumField("ietype", 73, IEType), 155 ShortField("length", 0), 156 BitField("CR_flag", 0, 4), 157 BitField("instance", 0, 4), 158 ByteField("EBI", 0)] 159 160 161class IE_RAT(gtp.IE_Base): 162 name = "IE RAT" 163 fields_desc = [ByteEnumField("ietype", 82, IEType), 164 ShortField("length", 0), 165 BitField("CR_flag", 0, 4), 166 BitField("instance", 0, 4), 167 ByteEnumField("RAT_type", None, RATType)] 168 169 170class IE_ServingNetwork(gtp.IE_Base): 171 name = "IE Serving Network" 172 fields_desc = [ByteEnumField("ietype", 83, IEType), 173 ShortField("length", 0), 174 BitField("CR_flag", 0, 4), 175 BitField("instance", 0, 4), 176 gtp.TBCDByteField("MCC", "", 2), 177 gtp.TBCDByteField("MNC", "", 1)] 178 179 180class ULI_RAI(gtp.IE_Base): 181 name = "IE Tracking Area Identity" 182 fields_desc = [ 183 gtp.TBCDByteField("MCC", "", 2), 184 # MNC: if the third digit of MCC is 0xf, then the length of 185 # MNC is 1 byte 186 gtp.TBCDByteField("MNC", "", 1), 187 ShortField("LAC", 0), 188 ShortField("RAC", 0)] 189 190 191class ULI_SAI(gtp.IE_Base): 192 name = "IE Tracking Area Identity" 193 fields_desc = [ 194 gtp.TBCDByteField("MCC", "", 2), 195 gtp.TBCDByteField("MNC", "", 1), 196 ShortField("LAC", 0), 197 ShortField("SAC", 0)] 198 199 200class ULI_TAI(gtp.IE_Base): 201 name = "IE Tracking Area Identity" 202 fields_desc = [ 203 gtp.TBCDByteField("MCC", "", 2), 204 gtp.TBCDByteField("MNC", "", 1), 205 ShortField("TAC", 0)] 206 207 208class ULI_ECGI(gtp.IE_Base): 209 name = "IE E-UTRAN Cell Identifier" 210 fields_desc = [ 211 gtp.TBCDByteField("MCC", "", 2), 212 gtp.TBCDByteField("MNC", "", 1), 213 BitField("SPARE", 0, 4), 214 BitField("ECI", 0, 28)] 215 216 217class IE_ULI(gtp.IE_Base): 218 name = "IE ULI" 219 fields_desc = [ByteEnumField("ietype", 86, IEType), 220 ShortField("length", 0), 221 BitField("CR_flag", 0, 4), 222 BitField("instance", 0, 4), 223 BitField("SPARE", 0, 2), 224 BitField("LAI_Present", 0, 1), 225 BitField("ECGI_Present", 0, 1), 226 BitField("TAI_Present", 0, 1), 227 BitField("RAI_Present", 0, 1), 228 BitField("SAI_Present", 0, 1), 229 BitField("CGI_Present", 0, 1), 230 ConditionalField( 231 PacketField("SAI", 0, ULI_SAI), lambda pkt: bool(pkt.SAI_Present)), 232 ConditionalField( 233 PacketField("RAI", 0, ULI_RAI), lambda pkt: bool(pkt.RAI_Present)), 234 ConditionalField( 235 PacketField("TAI", 0, ULI_TAI), lambda pkt: bool(pkt.TAI_Present)), 236 ConditionalField(PacketField("ECGI", 0, ULI_ECGI), 237 lambda pkt: bool(pkt.ECGI_Present))] 238 239 240class IE_FTEID(gtp.IE_Base): 241 name = "IE F-TEID" 242 fields_desc = [ByteEnumField("ietype", 87, IEType), 243 ShortField("length", 0), 244 BitField("CR_flag", 0, 4), 245 BitField("instance", 0, 4), 246 BitField("ipv4_present", 0, 1), 247 BitField("ipv6_present", 0, 1), 248 BitField("InterfaceType", 0, 6), 249 XIntField("GRE_Key", 0), 250 ConditionalField( 251 IPField("ipv4", RandIP()), lambda pkt: pkt.ipv4_present), 252 ConditionalField(XBitField("ipv6", "2001::", 128), 253 lambda pkt: pkt.ipv6_present)] 254 255 256class IE_BearerContext(gtp.IE_Base): 257 name = "IE Bearer Context" 258 fields_desc = [ByteEnumField("ietype", 93, IEType), 259 ShortField("length", 0), 260 BitField("CR_flag", 0, 4), 261 BitField("instance", 0, 4), 262 PacketListField("IE_list", None, IE_Dispatcher, 263 length_from=lambda pkt: pkt.length)] 264 265 266class IE_NotImplementedTLV(gtp.IE_Base): 267 name = "IE not implemented" 268 fields_desc = [ByteEnumField("ietype", 0, IEType), 269 ShortField("length", None), 270 StrLenField("data", "", length_from=lambda x: x.length)] 271 272 273class IE_IMSI(gtp.IE_Base): 274 name = "IE IMSI" 275 fields_desc = [ByteEnumField("ietype", 1, IEType), 276 ShortField("length", None), 277 BitField("CR_flag", 0, 4), 278 BitField("instance", 0, 4), 279 gtp.TBCDByteField("IMSI", "33607080910", 280 length_from=lambda x: x.length)] 281 282 283class IE_Cause(gtp.IE_Base): 284 name = "IE Cause" 285 fields_desc = [ByteEnumField("ietype", 2, IEType), 286 ShortField("length", None), 287 BitField("CR_flag", 0, 4), 288 BitField("instance", 0, 4), 289 ByteEnumField("Cause", 1, CauseValues), 290 BitField("SPARE", 0, 5), 291 BitField("PCE", 0, 1), 292 BitField("BCE", 0, 1), 293 BitField("CS", 0, 1)] 294 295 296class IE_RecoveryRestart(gtp.IE_Base): 297 name = "IE Recovery Restart" 298 fields_desc = [ByteEnumField("ietype", 3, IEType), 299 ShortField("length", None), 300 BitField("CR_flag", 0, 4), 301 BitField("instance", 0, 4), 302 ByteField("restart_counter", 0)] 303 304 305class IE_APN(gtp.IE_Base): 306 name = "IE APN" 307 fields_desc = [ByteEnumField("ietype", 71, IEType), 308 ShortField("length", None), 309 BitField("CR_flag", 0, 4), 310 BitField("instance", 0, 4), 311 gtp.APNStrLenField("APN", "internet", 312 length_from=lambda x: x.length)] 313 314 315class IE_AMBR(gtp.IE_Base): 316 name = "IE AMBR" 317 fields_desc = [ByteEnumField("ietype", 72, IEType), 318 ShortField("length", None), 319 BitField("CR_flag", 0, 4), 320 BitField("instance", 0, 4), 321 IntField("AMBR_Uplink", 0), 322 IntField("AMBR_Downlink", 0)] 323 324 325class IE_MSISDN(gtp.IE_Base): 326 name = "IE MSISDN" 327 fields_desc = [ByteEnumField("ietype", 76, IEType), 328 ShortField("length", None), 329 BitField("CR_flag", 0, 4), 330 BitField("instance", 0, 4), 331 gtp.TBCDByteField("digits", "33123456789", 332 length_from=lambda x: x.length)] 333 334 335class IE_Indication(gtp.IE_Base): 336 name = "IE Cause" 337 fields_desc = [ByteEnumField("ietype", 77, IEType), 338 ShortField("length", None), 339 BitField("CR_flag", 0, 4), 340 BitField("instance", 0, 4), 341 BitField("DAF", 0, 1), 342 BitField("DTF", 0, 1), 343 BitField("HI", 0, 1), 344 BitField("DFI", 0, 1), 345 BitField("OI", 0, 1), 346 BitField("ISRSI", 0, 1), 347 BitField("ISRAI", 0, 1), 348 BitField("SGWCI", 0, 1), 349 BitField("SQCI", 0, 1), 350 BitField("UIMSI", 0, 1), 351 BitField("CFSI", 0, 1), 352 BitField("CRSI", 0, 1), 353 BitField("PS", 0, 1), 354 BitField("PT", 0, 1), 355 BitField("SI", 0, 1), 356 BitField("MSV", 0, 1), 357 358 ConditionalField( 359 BitField("RetLoc", 0, 1), lambda pkt: pkt.length > 2), 360 ConditionalField( 361 BitField("PBIC", 0, 1), lambda pkt: pkt.length > 2), 362 ConditionalField( 363 BitField("SRNI", 0, 1), lambda pkt: pkt.length > 2), 364 ConditionalField( 365 BitField("S6AF", 0, 1), lambda pkt: pkt.length > 2), 366 ConditionalField( 367 BitField("S4AF", 0, 1), lambda pkt: pkt.length > 2), 368 ConditionalField( 369 BitField("MBMDT", 0, 1), lambda pkt: pkt.length > 2), 370 ConditionalField( 371 BitField("ISRAU", 0, 1), lambda pkt: pkt.length > 2), 372 ConditionalField( 373 BitField("CCRSI", 0, 1), lambda pkt: pkt.length > 2), 374 375 ConditionalField( 376 BitField("CPRAI", 0, 1), lambda pkt: pkt.length > 3), 377 ConditionalField( 378 BitField("ARRL", 0, 1), lambda pkt: pkt.length > 3), 379 ConditionalField( 380 BitField("PPOFF", 0, 1), lambda pkt: pkt.length > 3), 381 ConditionalField( 382 BitField("PPON", 0, 1), lambda pkt: pkt.length > 3), 383 ConditionalField( 384 BitField("PPSI", 0, 1), lambda pkt: pkt.length > 3), 385 ConditionalField( 386 BitField("CSFBI", 0, 1), lambda pkt: pkt.length > 3), 387 ConditionalField( 388 BitField("CLII", 0, 1), lambda pkt: pkt.length > 3), 389 ConditionalField( 390 BitField("CPSR", 0, 1), lambda pkt: pkt.length > 3), 391 392 ] 393 394PDN_TYPES = { 395 1: "IPv4", 396 2: "IPv6", 397 3: "IPv4/IPv6", 398} 399 400PCO_OPTION_TYPES = { 401 3: "IPv4", 402 129: "Primary DNS Server IP address", 403 130: "Primary NBNS Server IP address", 404 131: "Secondary DNS Server IP address", 405 132: "Secondary NBNS Server IP address", 406} 407 408 409class PCO_Option(Packet): 410 def extract_padding(self, pkt): 411 return "", pkt 412 413 414class PCO_IPv4(PCO_Option): 415 name = "IPv4" 416 fields_desc = [ByteEnumField("type", None, PCO_OPTION_TYPES), 417 ByteField("length", 0), 418 IPField("address", RandIP())] 419 420 421class PCO_Primary_DNS(PCO_Option): 422 name = "Primary DNS Server IP Address" 423 fields_desc = [ByteEnumField("type", None, PCO_OPTION_TYPES), 424 ByteField("length", 0), 425 IPField("address", RandIP())] 426 427 428class PCO_Primary_NBNS(PCO_Option): 429 name = "Primary DNS Server IP Address" 430 fields_desc = [ByteEnumField("type", None, PCO_OPTION_TYPES), 431 ByteField("length", 0), 432 IPField("address", RandIP())] 433 434 435class PCO_Secondary_DNS(PCO_Option): 436 name = "Secondary DNS Server IP Address" 437 fields_desc = [ByteEnumField("type", None, PCO_OPTION_TYPES), 438 ByteField("length", 0), 439 IPField("address", RandIP())] 440 441 442class PCO_Secondary_NBNS(PCO_Option): 443 name = "Secondary NBNS Server IP Address" 444 fields_desc = [ByteEnumField("type", None, PCO_OPTION_TYPES), 445 ByteField("length", 0), 446 IPField("address", RandIP())] 447 448 449PCO_PROTOCOL_TYPES = { 450 0x0001: 'P-CSCF IPv6 Address Request', 451 0x0003: 'DNS Server IPv6 Address Request', 452 0x0005: 'MS Support of Network Requested Bearer Control indicator', 453 0x000a: 'IP Allocation via NAS', 454 0x000d: 'DNS Server IPv4 Address Request', 455 0x000c: 'P-CSCF IPv4 Address Request', 456 0x0010: 'IPv4 Link MTU Request', 457 0x8021: 'IPCP', 458 0xc023: 'Password Authentification Protocol', 459 0xc223: 'Challenge Handshake Authentication Protocol', 460} 461 462PCO_OPTION_CLASSES = { 463 3: PCO_IPv4, 464 129: PCO_Primary_DNS, 465 130: PCO_Primary_NBNS, 466 131: PCO_Secondary_DNS, 467 132: PCO_Secondary_NBNS, 468} 469 470 471def PCO_option_dispatcher(s): 472 """Choose the correct PCO element.""" 473 option = orb(s[0]) 474 475 cls = PCO_OPTION_CLASSES.get(option, Raw) 476 return cls(s) 477 478 479def len_options(pkt): 480 return pkt.length-4 if pkt.length else 0 481 482 483class PCO_P_CSCF_IPv6_Address_Request(PCO_Option): 484 name = "PCO PCO-P CSCF IPv6 Address Request" 485 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 486 ByteField("length", 0), 487 ConditionalField(XBitField("address", 488 "2001:db8:0:42::", 128), 489 lambda pkt: pkt.length)] 490 491 492class PCO_DNS_Server_IPv6(PCO_Option): 493 name = "PCO DNS Server IPv6 Address Request" 494 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 495 ByteField("length", 0), 496 ConditionalField(XBitField("address", 497 "2001:db8:0:42::", 128), 498 lambda pkt: pkt.length)] 499 500 501class PCO_SOF(PCO_Option): 502 name = "PCO MS Support of Network Requested Bearer Control indicator" 503 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 504 ByteField("length", 0), 505 ] 506 507 508class PCO_PPP(PCO_Option): 509 name = "PPP IP Control Protocol" 510 fields_desc = [ByteField("Code", 0), 511 ByteField("Identifier", 0), 512 ShortField("length", 0), 513 PacketListField("Options", None, PCO_option_dispatcher, 514 length_from=len_options)] 515 516 def extract_padding(self, pkt): 517 return "", pkt 518 519 520class PCO_IP_Allocation_via_NAS(PCO_Option): 521 name = "PCO IP Address allocation via NAS Signaling" 522 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 523 ByteField("length", 0), 524 PacketListField("Options", None, PCO_option_dispatcher, 525 length_from=len_options)] 526 527 528class PCO_P_CSCF_IPv4_Address_Request(PCO_Option): 529 name = "PCO PCO-P CSCF IPv4 Address Request" 530 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 531 ByteField("length", 0), 532 ConditionalField(IPField("address", RandIP()), 533 lambda pkt: pkt.length)] 534 535 536class PCO_DNS_Server_IPv4(PCO_Option): 537 name = "PCO DNS Server IPv4 Address Request" 538 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 539 ByteField("length", 0), 540 ConditionalField(IPField("address", RandIP()), 541 lambda pkt: pkt.length)] 542 543 544class PCO_IPv4_Link_MTU_Request(PCO_Option): 545 name = "PCO IPv4 Link MTU Request" 546 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 547 ByteField("length", 0), 548 ConditionalField(ShortField("MTU_size", 1500), 549 lambda pkt: pkt.length)] 550 551 552class PCO_IPCP(PCO_Option): 553 name = "PCO Internet Protocol Control Protocol" 554 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 555 ByteField("length", 0), 556 PacketField("PPP", None, PCO_PPP)] 557 558 559class PCO_PPP_Auth(PCO_Option): 560 name = "PPP Password Authentification Protocol" 561 fields_desc = [ByteField("Code", 0), 562 ByteField("Identifier", 0), 563 ShortField("length", 0), 564 ByteField("PeerID_length", 0), 565 ConditionalField(StrFixedLenField( 566 "PeerID", 567 "", 568 length_from=lambda pkt: pkt.PeerID_length), 569 lambda pkt: pkt.PeerID_length), 570 ByteField("Password_length", 0), 571 ConditionalField( 572 StrFixedLenField( 573 "Password", 574 "", 575 length_from=lambda pkt: pkt.Password_length), 576 lambda pkt: pkt.Password_length)] 577 578 579class PCO_PasswordAuthentificationProtocol(PCO_Option): 580 name = "PCO Password Authentification Protocol" 581 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 582 ByteField("length", 0), 583 PacketField("PPP", None, PCO_PPP_Auth)] 584 585 586class PCO_PPP_Challenge(PCO_Option): 587 name = "PPP Password Authentification Protocol" 588 fields_desc = [ByteField("Code", 0), 589 ByteField("Identifier", 0), 590 ShortField("length", 0), 591 ByteField("value_size", 0), 592 ConditionalField(StrFixedLenField( 593 "value", "", 594 length_from=lambda pkt: pkt.value_size), 595 lambda pkt: pkt.value_size), 596 ConditionalField(StrFixedLenField( 597 "name", "", 598 length_from=lambda pkt: pkt.length-pkt.value_size-5), 599 lambda pkt: pkt.length)] 600 601 602class PCO_ChallengeHandshakeAuthenticationProtocol(PCO_Option): 603 name = "PCO Password Authentification Protocol" 604 fields_desc = [ShortEnumField("type", None, PCO_PROTOCOL_TYPES), 605 ByteField("length", 0), 606 PacketField("PPP", None, PCO_PPP_Challenge)] 607 608 609PCO_PROTOCOL_CLASSES = { 610 0x0001: PCO_P_CSCF_IPv6_Address_Request, 611 0x0003: PCO_DNS_Server_IPv6, 612 0x0005: PCO_SOF, 613 0x000a: PCO_IP_Allocation_via_NAS, 614 0x000c: PCO_P_CSCF_IPv4_Address_Request, 615 0x000d: PCO_DNS_Server_IPv4, 616 0x0010: PCO_IPv4_Link_MTU_Request, 617 0x8021: PCO_IPCP, 618 0xc023: PCO_PasswordAuthentificationProtocol, 619 0xc223: PCO_ChallengeHandshakeAuthenticationProtocol, 620} 621 622 623def PCO_protocol_dispatcher(s): 624 """Choose the correct PCO element.""" 625 proto_num = orb(s[0])*256+orb(s[1]) 626 cls = PCO_PROTOCOL_CLASSES.get(proto_num, Raw) 627 return cls(s) 628 629 630class IE_PCO(gtp.IE_Base): 631 name = "IE Protocol Configuration Options" 632 fields_desc = [ByteEnumField("ietype", 78, IEType), 633 ShortField("length", None), 634 BitField("CR_flag", 0, 4), 635 BitField("instance", 0, 4), 636 BitField("Extension", 0, 1), 637 BitField("SPARE", 0, 4), 638 BitField("PPP", 0, 3), 639 PacketListField("Protocols", None, PCO_protocol_dispatcher, 640 length_from=lambda pkt: pkt.length-1)] 641 642 643class IE_PAA(gtp.IE_Base): 644 name = "IE PAA" 645 fields_desc = [ByteEnumField("ietype", 79, IEType), 646 ShortField("length", None), 647 BitField("CR_flag", 0, 4), 648 BitField("instance", 0, 4), 649 BitField("SPARE", 0, 5), 650 BitEnumField("PDN_type", None, 3, PDN_TYPES), 651 ConditionalField( 652 ByteField("ipv6_prefix_length", 8), 653 lambda pkt: pkt.PDN_type in (2, 3)), 654 ConditionalField( 655 XBitField("ipv6", "2001:db8:0:42::", 128), 656 lambda pkt: pkt.PDN_type in (2, 3)), 657 ConditionalField( 658 IPField("ipv4", 0), lambda pkt: pkt.PDN_type in (1, 3)), 659 ] 660 661 662class IE_Bearer_QoS(gtp.IE_Base): 663 name = "IE Bearer Quality of Service" 664 fields_desc = [ByteEnumField("ietype", 80, IEType), 665 ShortField("length", None), 666 BitField("CR_flag", 0, 4), 667 BitField("instance", 0, 4), 668 BitField("SPARE", 0, 1), 669 BitField("PCI", 0, 1), 670 BitField("PriorityLevel", 0, 4), 671 BitField("SPARE", 0, 1), 672 BitField("PVI", 0, 1), 673 ByteField("QCI", 0), 674 BitField("MaxBitRateForUplink", 0, 40), 675 BitField("MaxBitRateForDownlink", 0, 40), 676 BitField("GuaranteedBitRateForUplink", 0, 40), 677 BitField("GuaranteedBitRateForDownlink", 0, 40)] 678 679 680class IE_ChargingID(gtp.IE_Base): 681 name = "IE Charging ID" 682 fields_desc = [ByteEnumField("ietype", 94, IEType), 683 ShortField("length", None), 684 BitField("CR_flag", 0, 4), 685 BitField("instance", 0, 4), 686 IntField("ChargingID", 0)] 687 688 689class IE_ChargingCharacteristics(gtp.IE_Base): 690 name = "IE Charging ID" 691 fields_desc = [ByteEnumField("ietype", 95, IEType), 692 ShortField("length", None), 693 BitField("CR_flag", 0, 4), 694 BitField("instance", 0, 4), 695 XShortField("ChargingCharacteristric", 0)] 696 697 698class IE_PDN_type(gtp.IE_Base): 699 name = "IE PDN Type" 700 fields_desc = [ByteEnumField("ietype", 99, IEType), 701 ShortField("length", None), 702 BitField("CR_flag", 0, 4), 703 BitField("instance", 0, 4), 704 BitField("SPARE", 0, 5), 705 BitEnumField("PDN_type", None, 3, PDN_TYPES)] 706 707 708class IE_UE_Timezone(gtp.IE_Base): 709 name = "IE UE Time zone" 710 fields_desc = [ByteEnumField("ietype", 114, IEType), 711 ShortField("length", None), 712 BitField("CR_flag", 0, 4), 713 BitField("instance", 0, 4), 714 ByteField("Timezone", 0), 715 ByteField("DST", 0)] 716 717 718class IE_Port_Number(gtp.IE_Base): 719 name = "IE Port Number" 720 fields_desc = [ByteEnumField("ietype", 126, IEType), 721 ShortField("length", 2), 722 BitField("CR_flag", 0, 4), 723 BitField("instance", 0, 4), 724 ShortField("PortNumber", RandShort())] 725 726 727class IE_APN_Restriction(gtp.IE_Base): 728 name = "IE APN Restriction" 729 fields_desc = [ByteEnumField("ietype", 127, IEType), 730 ShortField("length", None), 731 BitField("CR_flag", 0, 4), 732 BitField("instance", 0, 4), 733 ByteField("APN_Restriction", 0)] 734 735 736class IE_SelectionMode(gtp.IE_Base): 737 name = "IE Selection Mode" 738 fields_desc = [ByteEnumField("ietype", 128, IEType), 739 ShortField("length", None), 740 BitField("CR_flag", 0, 4), 741 BitField("instance", 0, 4), 742 BitField("SPARE", 0, 6), 743 BitField("SelectionMode", 0, 2)] 744 745 746class IE_MMBR(gtp.IE_Base): 747 name = "IE Max MBR/APN-AMBR (MMBR)" 748 fields_desc = [ByteEnumField("ietype", 72, IEType), 749 ShortField("length", None), 750 BitField("CR_flag", 0, 4), 751 BitField("instance", 0, 4), 752 IntField("uplink_rate", 0), 753 IntField("downlink_rate", 0)] 754 755 756ietypecls = {1: IE_IMSI, 757 2: IE_Cause, 758 3: IE_RecoveryRestart, 759 71: IE_APN, 760 72: IE_AMBR, 761 73: IE_EPSBearerID, 762 74: IE_IPv4, 763 75: IE_MEI, 764 76: IE_MSISDN, 765 77: IE_Indication, 766 78: IE_PCO, 767 79: IE_PAA, 768 80: IE_Bearer_QoS, 769 82: IE_RAT, 770 83: IE_ServingNetwork, 771 86: IE_ULI, 772 87: IE_FTEID, 773 93: IE_BearerContext, 774 94: IE_ChargingID, 775 95: IE_ChargingCharacteristics, 776 99: IE_PDN_type, 777 114: IE_UE_Timezone, 778 126: IE_Port_Number, 779 127: IE_APN_Restriction, 780 128: IE_SelectionMode, 781 161: IE_MMBR} 782 783# 784# GTPv2 Commands 785# 3GPP TS 29.060 V9.1.0 (2009-12) 786# 787 788 789class GTPV2Command(Packet): 790 fields_desc = [PacketListField("IE_list", None, IE_Dispatcher)] 791 792 793class GTPV2EchoRequest(GTPV2Command): 794 name = "GTPv2 Echo Request" 795 796 797class GTPV2EchoResponse(GTPV2Command): 798 name = "GTPv2 Echo Response" 799 800 801class GTPV2CreateSessionRequest(GTPV2Command): 802 name = "GTPv2 Create Session Request" 803 804 805class GTPV2CreateSessionResponse(GTPV2Command): 806 name = "GTPv2 Create Session Response" 807 808 809class GTPV2DeleteSessionRequest(GTPV2Command): 810 name = "GTPv2 Delete Session Request" 811 812 813class GTPV2DeleteSessionResponse(GTPV2Command): 814 name = "GTPv2 Delete Session Request" 815 816 817class GTPV2ModifyBearerCommand(GTPV2Command): 818 name = "GTPv2 Modify Bearer Command" 819 820 821class GTPV2ModifyBearerFailureNotification(GTPV2Command): 822 name = "GTPv2 Modify Bearer Command" 823 824 825class GTPV2DownlinkDataNotifFailureIndication(GTPV2Command): 826 name = "GTPv2 Downlink Data Notification Failure Indication" 827 828 829class GTPV2ModifyBearerRequest(GTPV2Command): 830 name = "GTPv2 Modify Bearer Request" 831 832 833class GTPV2ModifyBearerResponse(GTPV2Command): 834 name = "GTPv2 Modify Bearer Response" 835 836 837class GTPV2UpdateBearerRequest(GTPV2Command): 838 name = "GTPv2 Update Bearer Request" 839 840 841class GTPV2UpdateBearerResponse(GTPV2Command): 842 name = "GTPv2 Update Bearer Response" 843 844 845class GTPV2DeleteBearerRequest(GTPV2Command): 846 name = "GTPv2 Delete Bearer Request" 847 848 849class GTPV2SuspendNotification(GTPV2Command): 850 name = "GTPv2 Suspend Notification" 851 852 853class GTPV2SuspendAcknowledge(GTPV2Command): 854 name = "GTPv2 Suspend Acknowledge" 855 856 857class GTPV2ResumeNotification(GTPV2Command): 858 name = "GTPv2 Resume Notification" 859 860 861class GTPV2ResumeAcknowledge(GTPV2Command): 862 name = "GTPv2 Resume Acknowledge" 863 864 865class GTPV2DeleteBearerResponse(GTPV2Command): 866 name = "GTPv2 Delete Bearer Response" 867 868 869class GTPV2CreateIndirectDataForwardingTunnelRequest(GTPV2Command): 870 name = "GTPv2 Create Indirect Data Forwarding Tunnel Request" 871 872 873class GTPV2CreateIndirectDataForwardingTunnelResponse(GTPV2Command): 874 name = "GTPv2 Create Indirect Data Forwarding Tunnel Response" 875 876 877class GTPV2DeleteIndirectDataForwardingTunnelRequest(GTPV2Command): 878 name = "GTPv2 Delete Indirect Data Forwarding Tunnel Request" 879 880 881class GTPV2DeleteIndirectDataForwardingTunnelResponse(GTPV2Command): 882 name = "GTPv2 Delete Indirect Data Forwarding Tunnel Response" 883 884 885class GTPV2ReleaseBearerRequest(GTPV2Command): 886 name = "GTPv2 Release Bearer Request" 887 888 889class GTPV2ReleaseBearerResponse(GTPV2Command): 890 name = "GTPv2 Release Bearer Response" 891 892 893class GTPV2DownlinkDataNotif(GTPV2Command): 894 name = "GTPv2 Download Data Notification" 895 896 897class GTPV2DownlinkDataNotifAck(GTPV2Command): 898 name = "GTPv2 Download Data Notification Acknowledgment" 899 900bind_layers(GTPHeader, GTPV2EchoRequest, gtp_type=1, T=0) 901bind_layers(GTPHeader, GTPV2EchoResponse, gtp_type=2, T=0) 902bind_layers(GTPHeader, GTPV2CreateSessionRequest, gtp_type=32) 903bind_layers(GTPHeader, GTPV2CreateSessionResponse, gtp_type=33) 904bind_layers(GTPHeader, GTPV2ModifyBearerRequest, gtp_type=34) 905bind_layers(GTPHeader, GTPV2ModifyBearerResponse, gtp_type=35) 906bind_layers(GTPHeader, GTPV2DeleteSessionRequest, gtp_type=36) 907bind_layers(GTPHeader, GTPV2DeleteSessionResponse, gtp_type=37) 908bind_layers(GTPHeader, GTPV2ModifyBearerCommand, gtp_type=64) 909bind_layers(GTPHeader, GTPV2ModifyBearerFailureNotification, gtp_type=65) 910bind_layers(GTPHeader, GTPV2DownlinkDataNotifFailureIndication, gtp_type=70) 911bind_layers(GTPHeader, GTPV2UpdateBearerRequest, gtp_type=97) 912bind_layers(GTPHeader, GTPV2UpdateBearerResponse, gtp_type=98) 913bind_layers(GTPHeader, GTPV2DeleteBearerRequest, gtp_type=99) 914bind_layers(GTPHeader, GTPV2DeleteBearerResponse, gtp_type=100) 915bind_layers(GTPHeader, GTPV2SuspendNotification, gtp_type=162) 916bind_layers(GTPHeader, GTPV2SuspendAcknowledge, gtp_type=163) 917bind_layers(GTPHeader, GTPV2ResumeNotification, gtp_type=164) 918bind_layers(GTPHeader, GTPV2ResumeAcknowledge, gtp_type=165) 919bind_layers( 920 GTPHeader, GTPV2CreateIndirectDataForwardingTunnelRequest, gtp_type=166) 921bind_layers( 922 GTPHeader, GTPV2CreateIndirectDataForwardingTunnelResponse, gtp_type=167) 923bind_layers( 924 GTPHeader, GTPV2DeleteIndirectDataForwardingTunnelRequest, gtp_type=168) 925bind_layers( 926 GTPHeader, GTPV2DeleteIndirectDataForwardingTunnelResponse, gtp_type=169) 927bind_layers(GTPHeader, GTPV2ReleaseBearerRequest, gtp_type=170) 928bind_layers(GTPHeader, GTPV2ReleaseBearerResponse, gtp_type=171) 929bind_layers(GTPHeader, GTPV2DownlinkDataNotif, gtp_type=176) 930bind_layers(GTPHeader, GTPV2DownlinkDataNotifAck, gtp_type=177) 931