This protocol is used by cisco to measure latency and jitter between two devices. It is Cisco proprietary protocol, and not all aspects are yet fully reverse engineered. NB! Most of this is some level of guesswork based on Cisco SLA RFC draft and some trial runs when testing things out.
- UDP: Uses 1967/udp for control traffic
A 52 byte long control package is sent to port 1967/udp which initiates the IP SLA session for jitter and latency measure for udp port 4243 on destination 220.127.116.11.
Header = 01:0f:00:34:00:00:00:00:00 Measure = 04:00:10:00:00:00:00:d5:9d:5b:eb:10:93:14:50:00 Unknown data = 01:00:1c:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
This can be dissected into following fields:
|0-7||Version (will be 1)|
|24-55||Total length of message|
After this you get some variable data. In the example packet, we receive measure request. Offsets relative to header.
|40-71||Target IPv4 address|
At the moment it would seem that, depending on something, you send either the received message back, as is, or you send 010f00080000000000000000 back to the other station. It is unclear when to do which.
For message type 4, there are two kinds of measures. Either millisecond or microsecond resolution measurement. The microsecond packet is yet to be analysed, but millisecond message format is as of follows:
|16-31||Flags (we have observed values 00 02, 00 04, 00 06, 00 0d)|
|32-63||4 byte value, milliseconds from midnight, UTC. Sender sets this|
|64-95||4 byte value, milliseconds from midnight, UTC. Responder sets this|
|96-111||Sender sequence number|
|112-127||Responder sequence number (copied from sender)|
There is currently no dissector for this protocol.
Example of millisecond resolution jitter measure between two stations:
Imported from https://wiki.wireshark.org/Cisco-IPSLA on 2020-08-11 23:12:16 UTC