FMADIO Packetscope2 is a protocol discovery / analysis tool designed to understand what kind of traffic is on the network.
Supported Protocols
List of the protocols and the encapsulation depth of each one
4 Layers x Ethernet
8 Layers x VLAN (both 0×8100, 0×9100 and QinQ)
8 Layer x MPLS
6 Layers x IPv4
4 Layers x IPv6
4 Layers x GRE tunneling (Including ERSPAN1, ERSPAN2, ERSPAN3)
4 Layers x TCP
4 Layers x UDP
4 Layers x VXLAN
4 Layers x GENEVE
4 Layers x ICMP
2 Layers x SCTP
1 Layer x GTPC
1 Layer x GTPU
ESP decode (IPSec)
Pseudo Wire decode (L2 encapsulation)
The protocols are decoded and sent to an SQL database via a JSON decoded format in a non-Realtime mode. Once in the database Grafana is used to visualize the traffic.
Basic Protocol Encapsulation
Example decode is shown below. This example is a basic IPv4 UDP traffic pattern.
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
With IPv4 and UDP port numbers shown per below. This traffic has only 1 Layer of IPv4 and UDP.
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Multiple Encapsulation
The above is a simple ipv4:udp like protocol stack. The utility is designed for decoding more complicated network topologies. Below is such an example
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
In the above analysis we see 30-40 different VLANs on the network, with :ether:ipv4:udp and VLAN 2055 taking the majority of the traffic
One can filter just the UDP traffic by select the frameProto and filtering on “udp”
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Which will select just the ether:ipv4:udp traffic. From here we see there are no VLAN or MPLS tags
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Single IPv4 layer with a number of different UDP ports
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Filtering on Outer VLAN
One can filter on the outer VLAN, in this case VLAN 2055 by selecting it from the drop down menu
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Which shows, VLAN 2055 is moslty IPv4 UDP and TCP.
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
With the TCP ports looking like HTTP and HTTPS traffic
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Mobile GTPC GTPU Encapsulation
Mobile mid-plane traffic encapsulation can be quite deep. By default the system will decode all the way inside a GTPU payload extracting out the IP TCP UDP etc information.
Example shown below
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
This can be drilled down further by selecting only the GTPU inner TCP traffic, as shown below
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Which looks like
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
Where there are 4 Layers of IPv4 addresses within a single packet.
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
With 2 layers of UDP (e.g. VXLAN and GTPU/GTPC) with the final inner TCP layer typically HTTP / HTTPS traffic all within a single packet.
.png?sv=2022-11-02&spr=https&st=2025-05-15T21%3A46%3A10Z&se=2025-05-15T21%3A57%3A10Z&sr=c&sp=r&sig=ZcQBm%2BhKJJzRWguAz79HNtfx25FPm8i4BrGr0vM0Cn0%3D)
That is quite a deep encapsulation.