ANCP in Wireshark

The ANCP (Automatic Network Configuration Protocol) is a protocol that allows for the configuration of devices over an ASCII serial link. Originally designed by Lucent Technologies, it was later standardized by the TIA and called “TIA/EIA-1057”.

ANCP messages typically include information such as device type, device name, and IP address. These messages are formatted in ASCII text with CR/LF line termination (NL), which Wireshark interprets as newline characters.

Steps to View ANCP Messages in Wireshark:

• View the packets from one terminal using ‘Packet Details’ > ‘Filter’ > ‘ANCP’ 
• In the ‘Exclude Packets’ dropdown, select > Packet Length(s) > 0×7f.
• Select the ‘View as Grid’ radio button in the upper right-hand corner.
   

ANCP messages are a perfect example of a protocol analyzer. Wireshark can be used to discover whether certain ports are Open on various devices, but it cannot tell you much else about them (i.e., the type of NIC in use, the model number of the NIC, etc.). Things such as this simply require a more advanced tool such as Netmagic Packet Wireshark.

Key Points:

• ANCP messages are formed over ASCII serial links.
• Wireshark interprets ANCP messages as newline-delimited text.
• In Wireshark, packets with lengths equal to 0×7F (767) are assumed to be ANCP messages and are analyzed accordingly, ignoring any port numbers that may be in the packet capture file.
• To view only ANCP messages in a captured packet file, deselect all protocols except for IP, and enter the value 0×7F (767) as the Packet Lengths field of your Filter Expression box, thus excluding all packets from analysis except those with a packet length of 0×7f (767).

Example:

ANCP Adjacency (SYN) message with capabilities (Topology-Discovery and OAM):

Internet Protocol, Src: 192.168.1.0 (192.168.1.0),
 Dst: 192.168.2.0 (192.168.2.0)
Transmission Control Protocol, 
Src Port: 18717 (18717),
 Dst Port: gsmp (6068), Seq: 1, Ack: 1, Len: 48
Access Node Control Protocol
    Length: 44
    Version: 0x31 (3.1)
    Message Type: Adjacency (10)
    Timer: 100 msec
    .000 0001 = Code: 1 (Syn, M Flag Unset)
    Sender Name: ab:bc:cd:00:8c:00 (ab:bc:cd:00:8c:00)
    Receiver Name: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Sender Port: 80
    Receiver Port: 415
    Partition Info: 0x01 (Type = 0, Flag = 1)
    Sender Instance: 1
    Partition ID: 0
    Receiver Instance: 0
    Tech Type: DSL (5)
    Num TLVs: 2
        Length: 8
        Capability: Dynamic-Topology-Discovery (1) (0 bytes)
        Capability: OAM (4) (0 bytes)

Countermeasures:

1. Since ANCP is primarily used for network configuration, no countermeasures are typically implemented.
2. If you do not want to allow ANCP messages through a firewall to a particular device or network segment, the security appliance should be configured with an Allow Except rule for traffic matching an ANCP protocol identifier in the range of 161-183.

Conclusion: 

Wireshark provides an excellent analysis tool for discovering ANCP messages. Wireshark is not secure and cannot capture encrypted traffic. The need to be able to capture and decode encrypted traffic can lead to the use of Wireshark as a man-in-the-middle attack tool, which is a serious violation of the privacy of the users whose traffic Wireshark has captured.