with some more debugging and fun with wireshark scripting and looking a pretty obvious issue has been resolved. Now GPRS for us is actually using IP, UDP, NS (some simple address and type of the messages), BSSGP (protocol between SGSN and BSS) and for actual data there is LLC at the end of the BSSGP. The LLC is part of the BSSGP payload as TLV (Tag, Length, Value).
I created a simple setup that worked. It involved getting the traffic from the BTS, relayed with a simple smalltalk script (I had to do some fixes to GNU Smalltalk), and then send it to another SGSN. With a small variation of sending the data through our proxy I made the nanoBTS crash.
From observations I found that the other SGSN is padding the FLOW-CONTROL-BVC-ACK and FLOW-CONTROL-MS-ACK packets to 28 bytes, but padding/not padding had no effect on the crash.
The next observation was (before I tried doing it manually) that I now have each packet twice, once coming from the SGSN and how it looks after our proxy, apparently the proxy truncated the UDP packets....
So what errors have happened?
- The nanoBTS accesses random memory with short LLC frames and crashes, instead of crashing it should send a STATUS (I think BSSGP) returning our
- The wireshark BSSGP dissector does not check the size of the LLC frame (I created a bug report with a patch)..
- The proxy code was not reading the whole datagram and we had to increase the size, according to the spec the maximum size is 1600 byte for Framerelay... we now have a slightly bigger message...