Wireshark · Ethereal-dev: Re: [Ethereal-dev] pppdump

Ethereal-dev: Re: [Ethereal-dev] pppdump

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Mon, 7 Oct 2002 17:43:22 -0700

On Fri, Oct 04, 2002 at 02:49:04PM -0400, Devin Heitmueller wrote:
> I am attempting to use Ethereal to capture data on a PPP interface. 

Hopefully, you're not trying to do this on an OS with crappy capture
support for PPP...

> Specifically, I do not want to capture at the IP level, but I want to
> get the PPP headers as well.  I tried to capture on ppp0, but I only got
> the IP packets.
> 
> First, can Ethereal dissect raw PPP?  Second can someone give me some
> direction on how to set this up under Linux.

...such as, err, umm, Linux.

The parts of the various drivers, etc.  for PPP and, it appears, Cisco
HDLC on Linux that handle setting up the data and mac.raw pointers in
skbuffs are in desperate need of an enema; sometimes when you capture in
non-cooked mode you get the PPP header, sometimes you get *no* header,
and sometimes it appears you get extra unpredictable crap in addition to
the PPP header.

As such, recent versions of libpcap use cooked-mode capturing on PPP
devices on Linux.

Note also that you aren't going to, at least on some PPP devices
(perhaps all), capture any of the control protocols; you'll only get IP
packets.  That's arguably a consequence of the way you have to capture
packets on Linux - you do it on a "packet" socket, but sockets only see
packets delivered to the networking stack, and there're no protocol
types in the Linux networking code for various PPP control protocols, so
those packets aren't delivered to the networking stack.

(It should work better on BSD.  It didn't work very well on the version
of the BSD-from-Cupertino on my iBook - not Jaguar, as I want to make
sure that any Ethereal stuff I do for MacOS X works on pre-Jaguar
releases - because the system panicked when I ^C'ed tcpdump, complaining
that attempting to turn promiscuous mode off failed.  The other BSDs
should do better.)

> The Ethereal documentation
> states that the "pppdump" file format is supported.  If someone has more
> information on how this works, I would be greatly appreciative.

The user-mode PPP daemon can be configured to save raw traffic on
asynchronous serial lines to a file; those are the pppdump files.

Follow-Ups:
- Re: [Ethereal-dev] pppdump
  - From: Devin Heitmueller

References:
- [Ethereal-dev] pppdump
  - From: Devin Heitmueller

Prev by Date: Re: [Ethereal-dev] Creating a new Dissector
Next by Date: Re: [Ethereal-dev] 802.11 patch attached
Previous by thread: Re: [Ethereal-dev] pppdump
Next by thread: Re: [Ethereal-dev] pppdump
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$