While investigating a connection issue between two DMAs in our cluster, we observed traffic with source port 4222 using a protocol called Radio Signalling Link. Many of the packets using this protocol are malformed. I did some research on this protocol and it seems to be a protocol used in telecommunications networks between transceiver stations and station controllers. It seems odd that this traffic is being seen between two Windows server hosted DMAs on an enterprise network. We also do not see this traffic between all of our DMAs, just ones in particular security zones.
I am curious about the function of this protocol within NATS.
Hi Ryan, I'm not aware of the RSL protocol being used by NATS or DataMiner, would it be possible that there is another application on those servers or a device in those security zones that is using this RSL protocol? Would it be possible that the network traffic monitor is incorrectly recognizing some messages as RSL while they are actually NATS messages?
@Floris Cockaerts: That is interesting that you observed the same phenomenon after updating WireShark to the latest version. We just updated WireShark as well, and I had not noticed this traffic prior to the update.
After doing more investigation into this traffic, which is present on our other clusters, I agree that the most plausible scenario seems to be WireShark misidentifying packets. Thank you everyone for answering and looking into this!
This seems like the most plausible scenario to me too. A tool like Wireshark will assume the communication protocol based on the network port, and not the packet contents, and a port like 4222 isn’t a well-established protocol port and is used by multiple protocols.
EDIT:
Updated my local Wireshark to the latest version and captured a bit more traffic. It seems like Wireshark recognizes some of the packets as RSL, even though they’re all part of a single NATS TCP stream. Presumably the raw contents of these packets are tripping up the protocol detection in Wireshark.