The purpose of this repo is to document the reverse engineering efforts of the custom EXFO frame/packet header. EXFO tester units use a custom header when sending test traffic flows. Knowing this header format is useful when one wishes to inspect test traffic generated by an EXFO unit in a PCAP.
This repo includes a PCAP of an EXFO test traffic flow inside an MPLS L2 VPN and a script I hacked together to check for out of sequence EXFO test frames inside the L2 VPN, by checking the sequence number field inside the custom EXFO headers. The script is very rough, it's nothing more than a rudimentary example. Don't raise issues to fix the script, I don't care.
Below are the reverse engineering efforts for the EXFO headers:
Example FTB-860 NetBlaze 2.10 EXFO header:
The EXFO header is a fixed 18 byte header that follows immediately after an
Ethernet header. In the example PCAP provided, this was test traffic sent
over a L2VPN, meaning the EXFO header follows the inner Ethernet header.
EXFO sets the Ethertype to 0x00 0x00.
An EXFO header is as follows:
0x45 58 46 F4 0A 00 68 00 00 00 90 DC C6 EA 27 00 0D FF
^ This is 4x 4-byte fields, and a 2-byte trailer.
Bytes 0-3: 0x45 58 46 F4 "EXFO" string, start of header marker.
Bytes 4-7: 0x0A 00 68 00 This is the stream number and options.
1st seems to always be 0x0A?
2nd byte is the stream number (0x0 is 1st stream, 0x1 is 2nd stream etc.).
3rd & 4th bytes are stream options (e.g. single port test or dual port test).
Bytes 8-11: 0x00 00 90 DC Frame seq number, a 32b unsigned int that wraps.
Bytes 12-15: 0xC6 EA 27 00 Timestamp of Tx of this frame from tester, from the
tester's internal clock.
The unit is the Tx period of a single byte in old STM-1 aggregates:
(1 second / 155,520,000 bps) * 8 == one byte every 51.44 ns
The diff between two consecutive timestamps, is the delay in transmission
between each frame, measured by the number of STM-1 byte intervals.
Example 4-byte timestamp values, from 4 consecutive frames:
0xD7 93 A2 0E == 3616776718
0xD7 94 4E 96 == 3616820886 (diff +44168)
0xD7 94 FB 1D == 3616865053 (diff +44167)
0xD7 95 A7 A5 == 3616909221 (diff +44168)
A diff of 44168 means: (44168 x 51.44 ns)/1000/1000 = 2.272 ms.
When looking at the PCAP in Wireshark this matched the field:
"Time delta from previous captured frame: 0.002272620 seconds"
Based on the time delta we can calculate the pps rate and throughput, because
we know the frame size (from the PCAP):
EXFO was sending 1500 byte frames.
Pps == 1/0.00227262 = 440.020768980296 pps
Data rate == (440.0207 * 1500)*8/1000/1000 == 5.2802484 Mbps.
Which is roughly correct, the EXFO was set to 5Mbps @ 1500 bytes for this test.
Bytes 16-17: 0x0D FF Trailer of EXFO header.
These two bytes never change and are always 0D FF, which is the last two bytes
of this EXFOs MAC address. Over many tests they are always 0D FF, so not sure
if they are meant to by last 2 bytes of MAC or if that is just a coincidence.
Everything after the 2-byte trailer is random per-frame garbage.
$sudo apt-get install tshark$./packet_order.py EXFO\ in\ L2VPN.pcapng
100 packets decoded from EXFO in L2VPN.pcapng
Non-EXFO packets found: 0
EXFO packets found: 100
Total SEQ OOO: 0
Total lost packets: 0
Mean timestamp diff 2.43ms
Mode timestamp diff 2.43ms
Median timestamp diff 2.43msThe "good" PCAP which contains 100 EXFO packets, all in order, has been modified to demonstrate network packet loss and re-ordering. Packet 11 has been dropped, and packets 21 and 22 are reversed.
$./packet_order.py EXFO\ in\ L2VPN\ -\ bad.pcapng
99 packets decoded from EXFO in L2VPN - bad.pcapng
Out of sequence packet found: seq diff is 0x2 2
Pkt 9: seq 0x000b033f 721727 0.11.3.63
Pkt 10: seq 0x000b0341 721729 0.11.3.65
Seq num is 1 packet(s) early/late
Found 0 inbetween seq nums
Couldn't find 1 sequence number(s) in pcap, assume lost?
Out of sequence packet found: seq diff is 0x2 2
Pkt 18: seq 0x000b0349 721737 0.11.3.73
Pkt 19: seq 0x000b034b 721739 0.11.3.75
Seq num is 1 packet(s) early/late
Found all 1 inbetween seq nums in pcap, none are missing
Non-EXFO packets found: 0
EXFO packets found: 99
Total SEQ OOO: 2
Total lost packets: 1
Mean timestamp diff 2.46ms
Mode timestamp diff 2.43ms
Median timestamp diff 2.43ms