After posting I realized I didn’t need to wait for a SIM, I could easily try this on any linux box. So I ran a tcpdump in one window and ran my little example from above in another:
echo ‘{k:“12345678”,d=“X”,t=“T”}’ | nc -q 10 23.253.146.203 9999
which printed [2,0] since a key of 12345678 isn’t valid, but that doesn’t really change the example very much. The tcpdump output (I’m omitting the packet details except for the one that carries the message payload):
> sudo tcpdump -n -X -e host 23.253.146.203
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:10:52.296729 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 74: 192.168.0.3.42996 > 23.253.146.203.9999: Flags [S], seq 3484201343, win 29200, options [mss 1460,sackOK,TS val 910947861 ecr 0,nop,wscale 7], length 0
22:10:52.569254 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 74: 23.253.146.203.9999 > 192.168.0.3.42996: Flags [S.], seq 3967561882, ack 3484201344, win 14480, options [mss 1298,sackOK,TS val 2405650858 ecr 910947861,nop,wscale 9], length 0
22:10:52.569296 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 66: 192.168.0.3.42996 > 23.253.146.203.9999: Flags [.], ack 1, win 229, options [nop,nop,TS val 910947929 ecr 2405650858], length 0
22:10:52.569366 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 93: 192.168.0.3.42996 > 23.253.146.203.9999: Flags [P.], seq 1:28, ack 1, win 229, options [nop,nop,TS val 910947929 ecr 2405650858], length 27
0x0000: 4500 004f 476c 4000 4006 87c9 c0a8 0003 E..OGl@.@.......
0x0010: 17fd 92cb a7f4 270f cfac b180 ec7c 309b ......'......|0.
0x0020: 8018 00e5 7ae6 0000 0101 080a 364b f659 ....z.......6K.Y
0x0030: 8f63 51aa 7b6b 3a22 3132 3334 3536 3738 .cQ.{k:"12345678
0x0040: 222c 643d 2258 222c 743d 2254 227d 0a ",d="X",t="T"}.
22:10:52.844227 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 66: 23.253.146.203.9999 > 192.168.0.3.42996: Flags [.], ack 28, win 29, options [nop,nop,TS val 2405650927 ecr 910947929], length 0
22:10:52.846726 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 71: 23.253.146.203.9999 > 192.168.0.3.42996: Flags [P.], seq 1:6, ack 28, win 29, options [nop,nop,TS val 2405650928 ecr 910947929], length 5
22:10:52.846755 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 66: 192.168.0.3.42996 > 23.253.146.203.9999: Flags [.], ack 6, win 229, options [nop,nop,TS val 910947998 ecr 2405650928], length 0
22:10:52.846763 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 66: 23.253.146.203.9999 > 192.168.0.3.42996: Flags [F.], seq 6, ack 28, win 29, options [nop,nop,TS val 2405650928 ecr 910947929], length 0
22:10:52.846840 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 66: 192.168.0.3.42996 > 23.253.146.203.9999: Flags [F.], seq 28, ack 7, win 229, options [nop,nop,TS val 910947999 ecr 2405650928], length 0
22:10:53.110595 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 66: 23.253.146.203.9999 > 192.168.0.3.42996: Flags [.], ack 29, win 29, options [nop,nop,TS val 2405650996 ecr 910947999], length 0
The packet lengths include a 14-byte ethernet header which doesn’t apply over cellular, so we have: 60+60+52+79+52+57+52+52+52+52 we have 568 bytes!
I then proceeded to turn off TCP timestamps (one of the TCP options on my system) and ran the same test (using more verbose printing by TCP dump so I get the actual packet length without the ethernet header):
22:31:18.983050 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 62682, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.43698 > 23.253.146.203.9999: Flags [S], cksum 0x873e (correct), seq 3886895327, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
22:31:19.272847 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto TCP (6), length 52)
23.253.146.203.9999 > 192.168.0.3.43698: Flags [S.], cksum 0xa2c3 (correct), seq 446628723, ack 3886895328, win 14600, options [mss 1298,nop,nop,sackOK,nop,wscale 9], length 0
22:31:19.272889 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 62683, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.43698 > 23.253.146.203.9999: Flags [.], cksum 0x1b19 (correct), seq 1, ack 1, win 229, length 0
22:31:19.272959 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 62684, offset 0, flags [DF], proto TCP (6), length 67)
192.168.0.3.43698 > 23.253.146.203.9999: Flags [P.], cksum 0x0697 (correct), seq 1:28, ack 1, win 229, length 27
22:31:19.547341 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 47, id 64657, offset 0, flags [DF], proto TCP (6), length 40)
23.253.146.203.9999 > 192.168.0.3.43698: Flags [.], cksum 0x1bc6 (correct), seq 1, ack 28, win 29, length 0
22:31:19.557319 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 47, id 64658, offset 0, flags [DF], proto TCP (6), length 45)
23.253.146.203.9999 > 192.168.0.3.43698: Flags [P.], cksum 0x3756 (correct), seq 1:6, ack 28, win 29, length 5
22:31:19.557347 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 62685, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.43698 > 23.253.146.203.9999: Flags [.], cksum 0x1af9 (correct), seq 28, ack 6, win 229, length 0
22:31:19.558083 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 47, id 64659, offset 0, flags [DF], proto TCP (6), length 40)
23.253.146.203.9999 > 192.168.0.3.43698: Flags [F.], cksum 0x1bc0 (correct), seq 6, ack 28, win 29, length 0
22:31:19.558170 f4:6d:04:ed:62:ca > 36:e6:6a:0e:97:b1, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 62686, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.43698 > 23.253.146.203.9999: Flags [F.], cksum 0x1af7 (correct), seq 28, ack 7, win 229, length 0
22:31:19.846464 36:e6:6a:0e:97:b1 > f4:6d:04:ed:62:ca, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 47, id 64660, offset 0, flags [DF], proto TCP (6), length 40)
23.253.146.203.9999 > 192.168.0.3.43698: Flags [.], cksum 0x1bbf (correct), seq 7, ack 29, win 29, length 0
This now results in packets of length 52+52+40+67+40+45+40+40+40+40 = 456 bytes. So that eliminated 112 bytes right there! It’s probably possible to shave off another few bytes from the first two packets, but that might get iffy. After that, well, need to find a strategy that doesn’t require setting up a fresh TCP connection for each packet exchange…
I should note that a message with a correct key will look slightly differently because the server won’t close the connection immediately as far as I understand. But in broad strokes it should look very much the same.