The Corelatus Blog
E1/T1 and SDH/SONET telecommunications

Figuring out a Corelatus module's (forgotten) IP address

Posted July 3rd 2017

If you have a Corelatus module but don't know what the IP address is, you can figure it out by power cycling and then sniffing on UDP port 9—a newly booted module will broadcast its address every couple of minutes. The broadcasts stop as soon as you connect to the module's HTTP server (port 8888), the API (port 2089) or the SSH CLI.

Step by step

To do this, you need a laptop with an ethernet port, an ethernet cable and software to sniff ethernet. In this post, I'm using a 'Thinkpad 13' with a USB ethernet dongle, running Linux. I sniff the packets with 'tcpdump'. 'Wireshark' works well too, especially with Windows.

1. Connect the ethernet cable

Plug the the ethernet cable in to 'eth1' on the Corelatus module and in to the ethernet port on your laptop. In less than a second, the ethernet link is established and the LEDs for 'eth1' on the Corelatus module will look like this:

Corelatus GTH 2.1 module with ethernet link established

By connecting the ethernet cable directly instead of through a switch, router or gateway, we can be sure that we're seeing exactly what comes out of the Corelauts module and we can also be sure that nothing else will try and control the module.

2. Figure out which ethernet port to sniff on

Many laptops have multiple ethernet interfaces. Here's one way to list them: 

  matthias@eldo:~$ sudo ifconfig
  enp0s31f6: flags=4099 UP,BROADCAST,MULTICAST  mtu 1500
  ether 54:ab:3a:a5:47:e7  txqueuelen 1000  (Ethernet)
  RX packets 0  bytes 0 (0.0 B)
  RX errors 0  dropped 0  overruns 0  frame 0
  TX packets 0  bytes 0 (0.0 B)
  TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  device interrupt 16  memory 0xf1100000-f1120000

  enx98ded01f64bc: flags=4099 UP,BROADCAST,MULTICAST  mtu 1500
  ether 98:de:d0:1f:64:bc  txqueuelen 1000  (Ethernet)
  ...

Another way to list them is with 'tcpdump --list-interfaces'. In 'wireshark', there's a menu which shows the same thing. If there are multiple Ethernet interfaces, you can either take an educated guess as to which is the wired port, or just try each one in sequence.

3. Start sniffing

With 'tcpdump', these commands work well: 

  matthias@eldo:~$ sudo ifconfig enx98ded01f64bc up

  matthias@eldo:~$ sudo tcpdump --interface=enx98ded01f64bc -n -X port 9
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on enx98ded01f64bc, link-type EN10MB (Ethernet), capture size 262144 bytes

I've restricted the capture to the wired interface, 'enx98...', to avoid being distracted by a flood of packets from WiFi.

4. Cycle power on the Corelatus module

Remove all power to the Corelatus module. Then plug power back in. A cold boot takes about 40 seconds. After a further 60 seconds, the module will send a broadcast packet which shows its IP address: 

  23:24:18.492770 IP 172.16.2.5.57255 > 172.16.255.255.9: UDP, length 65
  0x0000:  4500 005d 0000 4000 4011 e06a ac10 0205  E..]..@.@..j....
  0x0010:  ac10 ffff dfa7 0009 0049 bc09 4754 4820  .........I..GTH.
  0x0020:  7069 6e67 2e20 5365 6520 6874 7470 3a2f  ping..See.http:/
  0x0030:  2f77 7777 2e63 6f72 656c 6174 7573 2e63  /www.corelatus.c
  0x0040:  6f6d 2f67 7468 2f66 6171 200a 4d61 736b  om/gth/faq..Mask
  0x0050:  3a20 3235 352e 3235 352e 302e 30         :.255.255.0.0

The packet above shows that the IP address is 172.16.2.5. The last line of the capture also tells us that the network mask is 255.255.0.0.

Permalink | Tags: GTH