X.25 network tracing for Internet users
Dennis Jackson
JANET-CERT Coordinator
UKERNA, Atlas Centre,
Chilton, Didcot, Oxfordshire   OX11 0QS,   UK
Tel: +44 235 445375          Fax: +44 235 445125
D.Jackson@ukerna.ac.uk

Abstract

Hackers use X.25 networks to attack computer systems around the world. In 
The Cuckoo's Egg Clifford Stoll describes many difficulties in tracing attackers 
coming across the public X.25 network. There are techniques a system 
administrator can use to identify the origin of the attacks and follow the actions 
of the intruders. This paper will describe some of these techniques - techniques 
that have been used to trace and apprehend computer criminals.
Introduction
Many Internet users seem to view X.25 networks as mysterious.  They view X.25 
networks as an alien invention and only used by telecommunications carriers to achieve 
international connectivity. It is true that X.25 technology has been used to construct the 
most pervasive data network. The global public data network formed by the PTTs 
connects at least 95 different countries.
Internet administrators may assume that tracing attackers across an X.25 network is 
almost impossible. The descriptions given in Clifford Stoll's book The Cuckoo's Egg 
reinforce this impression. In chapter 29 he describes the process of contacting Ron 
Vivier at Telenet who then contacts Steve White and so on back to Hannover in 
Germany.
In reality, tracing attacks across an X.25 network is as easy (or difficult) as on a 
TCP/IP network.
It should be remembered that it is not just the global public data network that uses 
X.25. There are many private and corporate networks that also use X.25. Some of the 
techniques described here are equally applicable to private networks.
Dealing with attacks that take place across an X.25 network needs the ability to
�	monitor the traffic
�	check the system logs
�	identify the origin and target of calls
The Hidden Origin
Public X.25 network addresses are treated as �ex-directory�. That is, there is no 
published list of subscribers and their corresponding network numbers. This creates the 
problem that the origin or target of attacks cannot be readily identified. The network 
provider can translate numbers to names but they will not divulge this information to an 
ordinary system administrator - especially a system administrator in another country.
Law enforcement officers can usually obtain such information for connections in their 
own area. But, a single intrusion can yield dozens of numbers that may need 
identifying. Translating international numbers can be almost impossible. It is known 
that hackers maintain lists of names and network addresses. They use these to choose 
new victims. Anything that can be done to simplify the translation of numbers to names 
will speed the work of someone investigating an attack.
Technical Background
Both TCP/IP and X.25 networks use packet switching techniques to transmit data 
between end systems. The major difference between these systems is architectural. 
TCP/IP networks are usually described as connectionless, while X.25 networks 
provide a connection-mode service. Connectionless communication can be likened to 
the postal service where each packet is independent of all others.1 Connection-mode 
networks are similar to the telephone system where an initial dialogue (with the 
network) establishes a connection to the remote party.
This difference has important consequences for the carriage of addressing information 
within the network. Every IP packet carries the source and destination address. In 
contrast, in X.25 only the initial packet carries the addressing information.2
Subsequent X.25 packets carry a channel number assigned at the start of the 
connection. This logical channel number (LCN) is similar to the port number chosen by 
the user�s end and carried in the TCP header.
Another difference between X.25 and TCP/IP is that every X.25 data packet carries a 
sequence number. The X.25 sequence numbers are used to ensure that the remote 
system receives the packets in the same order that they were sent.
Channel Numbers
The logical channel number assigned at the start of the connection is local to each link in 
the network. Thus the channel number used between the originating system and the 
network will be different from the LCN used between the network and the target 
computer. As an example, in a typical situation, the logical channel numbers used will 
be
                                                           
			Figure 1
One benefit of channel numbers is that it is relatively easy to identify all the packets that 
make up a particular session. Once the call has connected and the logical channel 
number assigned, all subsequent packets in that call will have the same channel 
number. Use of the channel number and packet sequence number will ensure that a 
complete transcript of a session can be extracted from the X.25 data stream.
Monitoring
The use of channel numbers rather than addresses presents an obvious problem. 
Simply tapping the wires and monitoring the session of the hacker will not identify the 
victim nor the origin of the perpetrator. The individual packets passing back and forth 
will only contain the logical channel number. It is necessary to monitor the call being 
established to obtain the two network addresses.
Many devices are available that can monitor, record and display data from a line 
carrying X.25 traffic. Some of these protocol analysers are dedicated devices, while 
others are add-on boards and software for personal computers. These devices exist to 
aid the analysis and resolution of faults. As a result some are not suited to the extraction 
of a session transcript from the data stream. An example of the basic output from a 
protocol analyser is shown in Appendix C.
Computer systems often have the potential for recording a transcript of every packet 
sent or received on the network interface. Obviously, recording all packets like this will 
collect huge amounts of data. Such techniques must be used with care to ensure that the 
filestore is not exhausted.
Digital VAX/VMS
VMS includes extensive facilities for recording and analysing packets sent and received 
on the network connections. The command
$ TRACE /PSI3
starts collection of a trace of the data on a link to an X.25 network.To avoid the tracing 
being made too obvious the process name should be set with the /PROCESS_NAME 
option. Similarly, the name of the output file should be changed with /OUTPUT.
Collection of the trace data is terminated by the command
$ TRACE STOP
Display of the trace data is performed by the command
$ TRACE ANALYSE
This command expands the data into individual packets and decodes their contents. An 
example of the output from this command is given in Appendix D.
SunOS
The X.25 software from Sun Microsystems can record all packets sent and received on 
the network interface. The command to start collection of this log is
% /usr.sunlink/x25/x25trace4
The trace is stopped by interrupting the command or killing the process.
When monitoring a hacker the name and path for the command need to be changed to 
avoid ps(1).
DG/UX
On Data General systems the command
% /usr/bin/x25trace
obtains the raw trace data. Although the information is readable it is not decoded and is 
just produced as hexadecimal text. The command
% /usr/bin/x25decode
can be used to translate the hexadecimal trace data into individual packet types.
Network Records
The network equipment has the potential for recording details of all calls across the 
network. For a public data network, records will be kept to enable bills to be produced 
and customers charged for their usage. However, the information gathered for billing 
purposes is not needed in real time. Not all equipment has the potential for displaying 
details of active calls. Thus it may be necessary to tap the wires and use a line monitor 
to gather real time information.
The target computer also has the potential for recording details of all calls it sends and 
receives. However, in common with other records, computers are often installed with 
this logging disabled.
Digital VAX/VMS
As an example, the software for VMS to connect it to an X.25 network is PSI 
(Packetnet System Interface). The PSI log records details of all activity on the link to 
the X.25 network - incoming and outgoing, bulk and interactive. By default, the log of 
PSI activity is switched off. The command
$ @SYS$MANAGER:PSIACCOUNTING ON
needs to be issued by the system manager to activate collection of this log. Once 
collected the details are displayed by the command
$ ACCOUNTING /PSI5
An example of the output from this command is shown in Appendix E.
Like other VMS logs the PSI records are held in a structured file and the information 
stored as binary data. The command ACCOUNTING /PSI can also act as a filter and 
thereby edit out the data of interest.
SunOS
Sun Microsystem�s X.25 software records the different types of activity in separate 
logs.6 Records of incoming interactive calls are held in /var/adm/x29serverlog. If the 
system is used as a staging point and outgoing interactive calls are made then the details 
are recorded in /usr/tmp/x29userlog.
Both x29serverlog and x29userlog are simple text files. The data can be browsed, 
edited, and printed using standard utilities. Examples of these logs are given in 
Appendix E & F.
Network Addresses
A common task when investigating attacks on an X.25 network is identifying the 
source and target of the activity.
IP networks use a 32-bit field to carry addressing information. This field is treated as 
four binary octets, and written as four decimal numbers separated by periods. X.25 
packets have an address field that can hold a maximum of 15 decimal digits.7 In the 
packet each digit is binary encoded and held in a semi-octet.
International Numbers
The X.25 standard places no limitation on how many of the address digits are used or 
how they are allocated. However, for public data networks the CCITT 
Recommendation X.121 provides some definitions. X.25 addresses on the public 
networks are limited to a maximum of 14 digits. X.121 also defines the first four digits 
as the Data Network Identification Code (DNIC). Of these four digits, the first three 
identify the country while the fourth digit distinguishes a specific network within the 
country. The use of any subsequent digits is left to the discretion of the network 
administration in each country. Details of all country codes and known DNICs are 
given in Appendix A.
In Clifford Stoll�s case the calls were coming in from the address 26245421042148. 
The first four digits, 2624, indicate the Datex-P network in Germany. However, the 
contact in Telenet International was unable to translate the rest of the digits and identify 
the town as Hannover.
National Numbers
Although not necessary, most networks define a fixed number of digits to identify each 
connection point. It would be possible to use a variable number of digits with large 
organisations identified by a small number of digits and vice versa. Any additional 
digits up to the maximum being dealt with by the attached equipment. This arrangement 
would be similar to the Class A, B, and C networks on the Internet.
Fortunately, most public X.25 network use a fixed number of digits to identify 
customer connections. For example, in the USA Telenet uses 12, in Germany Datex-P 
uses 13, Datapac in Canada 12, etc. Where known, the length of network addresses is 
detailed in Appendix B.
Area Codes
Each network will need a mechanism for assigning X.25 addresses to subscribers. 
They could allocate 000001 to the first customer, 000002 to the second, and so on. 
However, this will cause technical problems - each switch in the network will need to 
know how to route calls for every number.
Most networks around the world have chosen to allocate numbers on a regional basis. 
That is, some portion of the number identifies a physical area. Customers in the same 
geographical region will have similar numbers. This is the same technique as that used 
to assign telephone numbers.
If details of these area codes are known then it enables network addresses to be 
narrowed down to individual towns. Experience has shown that many X.25 network 
providers have chosen to use exactly the same area codes as the telephone network. 
Details of the area codes (including real examples) are listed in Appendix B.
As an example, Clifford Stoll�s number 2624542104214 can be translated as
262	Germany (formerly known as Federal Republic of Germany or West 
Germany)
	4	Datex-P (operated by Bundespost)
		5	Permanent connection (in contrast to a dial-up account)
			42	Hannover area code
				104214	subscriber number
Bibliography
Recommendation X.121 International Numbering Plan for Public Data Networks, 
CCITT, 1988.
Clifford Stoll, The Cuckoo�s Egg, Doubleday, 1989, ISBN 0-370-31433-6.
VAX PSI Volume 1 Problem Solving Guide, Digital Equipment Corporation.



Appendix A
The list of country codes is taken from the latest (1988) revision of CCITT 
Recommendation X.121; political events around the world will probably result in 
changes during the 1992 study period.

1111	Atlantic Ocean (INMARSAT Mobile satellite data transmission system)
1112	Pacific Ocean (INMARSAT Mobile satellite data transmission system)
1113	Indian Ocean (INMARSAT Mobile satellite data transmission system)
Country or geographical areas
Non-zoned systems

202	Greece
	2022	Helpac
	2023	-
204	Netherlands
	2041	Datanet 1
	2043	Euronet (ceased)
206	Belgium
	2062	DCS
	2063	Euronet (ceased)
208	France
	2080	Transpac
	2080	Dompac (French Antilles)
	2080	Dompac (French Guiana)
	2080	Transpac (Reunion)
212	Monaco
	2120	-
214	Spain
	2141	TIDA
	2145	Iberpac
216	Hungarian People�s Republic
	2160	Datex-L
	2161	-
218	German Democratic Republic
220	Yugoslavia
	2201	Yupac
222	Italy
	2222	Itapac
	2223	Euronet (ceased)
	2227	Italcable
226	Romania
228	Switzerland
	2283	Euronet (ceased)
	2284	Telepac
	2289	Data-Link
230	Czechoslovak Socialist Republic
232	Austria
	2322	Datex-P
	2329	Radio Austria
234	United Kingdom of Great Britain and 
Northern Ireland
	2341	-
	2342	PSS (British Telecom)
	2343	Euronet (ceased)
	2348	gateway to BT�s telex 
network
235	United Kingdom of Great Britain and 
Northern Ireland
	2350	
	2351	MDNS (Mercury)
	2352	(Hull Telephone Company)
236	United Kingdom
237	United Kingdom
238	Denmark
	2382	Datapak
	2383	Datapak
240	Sweden
	2402	Datapak
	2403	-
	2405	Telepak
242	Norway
	2422	Datapak
244	Finland
	2442	Datapak
	2443	Digipak
250	Union of Soviet Socialist Republics
	2502	Iasnet
260	Poland
262	Germany
	2623	Euronet (ceased)
	2624	Datex-P
266	Gibraltar
268	Portugal
	2680	Telepac
270	Luxembourg
	2703	Euronet (ceased)
	2704	Luxpac
272	Ireland
	2723	Euronet (ceased)
	2724	Eirpac
274	Iceland
	2740	Icepac
276	Albania
278	Malta
	2782	Maltapac
280	Cyprus
	2802	Cytapac
284	Bulgaria
	2841	-
286	Turkey
	2862	-
	2863	Turpac
288	Faroe Islands
	2882	Faroepac
290	Greenland
292	San Marino
	2922	X-Net SMR
302	Canada
	3020	Datapac
	3025	Globedat
	3028	Infoswitch
308	St. Pierre and Miquelon
310	United States of America
	3100	-
	3101	WUTCO
	3103	ITT-UDTS
	3104	MCII-Impacs
	3106	Tymnet
	3107	ITT-UDTS
311	United States of America
	3110	Telenet
	3113	RCA-LSDS
	3119	TRT-Datapak
312	United States of America
	3124	FTCC
	3125	Telenet
	3126	Autonet
313	United States of America
	3132	Compuserve
	3134	Accunet
	3135	Alaskanet
	3136	Marknet
314	United States of America
	3140	SNET
	3141	PDN (Bell Atlantic)
	3142	Pulselink (Bellsouth)
	3143	PSN (Ameritech)
	3144	Infopath (Nynex)
	3145	PPS (Pacific Telesis)
	3146	Microlink II (Southwestern 
Bell)
	3147	Digipac (USWest)
	3148	Pulsenet (Cincinnati Bell)
	3149	Wangpac
315	United States of America
	3150	Globenet
	3152	Hawaii
316	United States of America
330	Puerto Rico
	3300	-
332	Virgin Islands
334	Mexico
	3340	Telepac
338	Jamaica
	-	-
340	French Antilles
	3400	Dompac
342	Barbados
	3420	-
344	Antigua and Barbuda
	-	-
346	Cayman Islands
	-	C and W
348	British Virgin Islands
350	Bermuda
	3503	Bermudanet
352	Grenada
354	Montserrat
356	St. Kitts
358	St. Lucia
360	St. Vincent and the Grenadines
362	Netherlands Antilles
364	Bahamas
	-	IDAS
366	Dominica
368	Cuba
	-	-
370	Dominican Republic
	3701	-
372	Haiti
374	Trinidad and Tobago
	3740	Datanett
	3745	Texdat
376	Turks and Calcos Islands
404	India
	4042	GPSS
410	Pakistan
412	Afghanistan
413	Sri Lanka
414	Burma
415	Lebanon
416	Jordan
417	Syrian Arab Republic
418	Iraq
419	Kuwait
	-	-
420	Saudi Arabia
	4201	Alwaseet
421	Yemen Arab Republic
422	Oman
	-	-
423	Yemen
424	United Arab Emirates
	4243	Emdan
425	Israel
	4251	Isranet
426	Bahrain
	4263	Bahnet
427	Qatar
	-	Dohpak
428	Mongolian People�s Republic
429	Nepal
430	United Arab Emirates (Abu Dhabi)
431	United Arab Emirates (Dubai)
	4310	-
432	Iran
440	Japan
	4400	Global VAN
	4401	DDX-P
	4403	ENS
	4406	Network Info Service
	4408	Venus-P
441	Japan
	4410	NI+C International
	4411	K-Net
450	Korea
	4501	Dacom-Net
452	Viet Nam
454	Hong Kong
	4542	IDAS
	4545	Datapak
455	Macao
456	Democratic Kampuchea
457	Lao People�s Democratic Republic
460	China
	-	-
467	Democratic People�s Republic of Korea
470	Bangladesh
472	Maldives
487	Taiwan
	4872	Pacnet
	4877	UDAS
502	Malaysia
	5021	Maypac
505	Australia
	5052	Austpac
	5053	Data Access
510	Indonesia
	5101	SKDP
515	Philippines
	5151	Capwire
	5156	ETPI
	-	GMCR
	-	Philcom
520	Thailand
	-	IDARC
525	Singapore
	5252	Telepac
528	Brunei Darussalam
530	New Zealand
	5301	Pacnet
535	Guam
	-	
536	Nauru
537	Papua
	-	PNGpac
539	Tonga
540	Solomon Islands
541	Vanuatu
	5410	ViaPac
542	Fiji
543	Wallis and Futuna Islands
544	American Samoa
545	Kiribati
546	New Caledonia and Dependencies
	5460	Tompac
547	French Polynesia
	5470	Tompac
548	Cook Islands
549	Western Samoa
602	Egypt
	-	Arento
603	Algeria
604	Morocco
605	Tunisia
	6050	Red25
606	Libya
607	Gambia
608	Senegal
	6081	Senpac
609	Mauritania
610	Mali
611	Guinea
612	Cote d�Ivoire
	6122	Sytranpac
613	Burkina Faso
614	Niger
	6142	Nigerpac
615	Togolese Republic
	6152	Togopac
616	Benin
617	Mauritius
	6170	Mauridata
	6171	Mauridata
618	Liberia
619	Sierra Leone
620	Ghana
621	Nigeria
622	Chad
623	Central African Republic
624	Cameroon
625	Cape Verde
626	Sao Tome and Principe
627	Equitorial Guinea
628	Gabonese Republic
	6282	Gabonpac
629	Congo
630	Zaire
631	Angola
632	Guinea-Bissau
633	Seychelles
634	Sudan
635	Rwandese
636	Ethiopia
637	Somali Democratic Republic
638	Djibouti
	6382	Djipac
639	Kenya
640	Tanzania
641	Uganda
642	Burundi
643	Mozambique
645	Zambia
646	Madagascar
647	Reunion
648	Zimbabwe
	6482	Zimnet
649	Namibia
	6490	Swanet
650	Malawi
651	Lesotho
652	Botswana
653	Swaziland
654	Comoros
655	South Africa
	6550	Saponet
702	Belize
704	Guatemala
	-	Guatel
706	El Salvador
708	Honduras
	-	-
710	Nicaragua
712	Costa Rica
	-	Radiografica
714	Panama
	-	Intelpaq
716	Peru
	7160	Perunet
722	Argentine Republic
	7222	Arpac
724	Brazil
	7240	Interdata
	7241	Renpac
730	Chile
	7302	Entel
	7303	Chilepac
	7305	Tomnet
732	Colombia
	-	Dapaq
734	Venezuela
736	Bolivia
738	Guyana
740	Ecuador
742	Guiana
744	Paraguay
746	Suriname
748	Uruguay
	7482	Urupac
933	France
	9330	Transpac
	9339	Transpac


Appendix B
These details of area codes as part of X.121 numbers are based on empirical evidence 
.... the numbers allocated to real users and organisations.

Netherlands		Datanet-1	11 digits
2041a......		a = telephone area code
20412900433
    2	Amsterdam
Belgium		DCS	10 digits
2062a.....		a = telephone area code
2062221012
    2	Brussels
France		Transpac	12 digits
2080nn......		nn = administrative department code
208034020258
    34	Montpelier(
Yugoslavia		Yupak	12 digits
2201aa......		aa = telephone area code
220161140001
    61	Ljubljana
Switzerland		Telepac	11 digits
2284.......
United Kingdom		PSS	12 digits
2342aaa.....		aaa = telephone area code
234219200100
    1920	London, Waterloo
234231300102
    31	Edinburgh
234253300124
    533	Leicester
USSR			Iasnet	10 digits
2502......
Federal Republic of Germany	Datex-P	13 digits
26244........		dial-up connection
26245aaa.....		aaa = telephone area code
26245221040006
     221	Cologne
26245300040023
     30	Berlin
Portugal		Telepac	12 digits
2680........
Luxembourg		Luxpac	11 digits
2704.......
Irish Republic		Eirpac	12 digits
2724........
Canada		Datapac	12 digits
3020........
United States of America		Telenet	12 digits
3110aaa.....		aaa = telephone area code
311041200670
    412	Pittsburgh(Pa)
United States of America		Uninet
3125aaa		aaa = telephone area code
312530300007
    303	Boulder(Colo)
United States of America		Accunet	12 digits
3134........
United States of America		Hawaii
3152aaa		aaa = telephone area code
Japan			DDX-P	11 digits
4401.......
Japan			Venus-P	12 digits
4408........
Australia		Austpac	12 digits
5052a.......		a = telephone area code
505233422000
    3	Melbourne
New Zealand		Pacnet	12 digits
5301........
South Africa		Saponet	12 digits
6550........

United Kingdom		PSS
	2342aaaabbbbxx
	aaaa is the area code and uses the same numbers as telephone dialing codes 
(without the leading zero)
	bbbb allocated according to the type of service provided to the customer
	<400 a fixed line to a computer
234219200100	Gateway to JANET at ULCC
234253200103	VAX 6310 at Maxwell Institute
	�400 an account used for dial-up access
23421890042200	ICL General Information Systems dial-up account
	xx optional sub-address digits, for an account used for dial-up access xx is 
always set to 00
	subscribers of fixed lines to PSS soon after the service started were allocated 
numbers with repeated or easily remembered sequences of digits
	234223519191	Gateway to JANET at Rutherford Laboratory
	234246240240	ICL at Letchworth
	recently allocated accounts for dial-up access do not have an area code, the fifth 
digit is set to zero

1 TCP provides some connection-mode functions. The TCP header includes a sequence number and a 
field for acknowledging previous packets. Higher level functions such as telnet and ftp provide true 
connection-mode services.
2 Strictly speaking other control packet types can carry the same addressing information but in practice 
many implementations leave out these optional fields. The full list of packet types that have address 
fields is: call request, incoming call, call accepted, call connected, clear request, clear indication, clear 
confirmation, registration request, registration confirmation.
3 Details of the TRACE /PSI command are in the VMS help system under the entry TRACE. The 
TRACE function is described in the manual VAX PSI Volume 1 Problem Solving Guide, chapter 4 - 
the TRACE utility.
4 Details of the x25trace command are in SunNet X.25 System Administration Manual, chapter 9.
5 Details of the ACCOUNTING/PSI command are in the VMS help system under the entry P.S.I.
6 Details of the log file are in the manual SunNet X.25 Application Guide The PAD (User) and X.29 
(Server) Programs, chapter 2.
7 The 1988 revision of the X.25 standard increased the address field to a maximum of 17 decimal digits.
8 The Cuckoo�s Egg, chapter 30.