Thanks for the feedback.
Do your comments regarding the differences in the way PPP data is
announced also refer to the use of the pppd capture mode? If I use the
raw traffic saves generated by the user-mode PPP daemon, do I avoid the
problems you described in the first half of the email?
Thanks,
Devin
On Mon, 2002-10-07 at 20:43, Guy Harris wrote:
> On Fri, Oct 04, 2002 at 02:49:04PM -0400, Devin Heitmueller wrote:
> > I am attempting to use Ethereal to capture data on a PPP interface.
>
> Hopefully, you're not trying to do this on an OS with crappy capture
> support for PPP...
>
> > Specifically, I do not want to capture at the IP level, but I want to
> > get the PPP headers as well. I tried to capture on ppp0, but I only got
> > the IP packets.
> >
> > First, can Ethereal dissect raw PPP? Second can someone give me some
> > direction on how to set this up under Linux.
>
> ...such as, err, umm, Linux.
>
> The parts of the various drivers, etc. for PPP and, it appears, Cisco
> HDLC on Linux that handle setting up the data and mac.raw pointers in
> skbuffs are in desperate need of an enema; sometimes when you capture in
> non-cooked mode you get the PPP header, sometimes you get *no* header,
> and sometimes it appears you get extra unpredictable crap in addition to
> the PPP header.
>
> As such, recent versions of libpcap use cooked-mode capturing on PPP
> devices on Linux.
>
> Note also that you aren't going to, at least on some PPP devices
> (perhaps all), capture any of the control protocols; you'll only get IP
> packets. That's arguably a consequence of the way you have to capture
> packets on Linux - you do it on a "packet" socket, but sockets only see
> packets delivered to the networking stack, and there're no protocol
> types in the Linux networking code for various PPP control protocols, so
> those packets aren't delivered to the networking stack.
>
> (It should work better on BSD. It didn't work very well on the version
> of the BSD-from-Cupertino on my iBook - not Jaguar, as I want to make
> sure that any Ethereal stuff I do for MacOS X works on pre-Jaguar
> releases - because the system panicked when I ^C'ed tcpdump, complaining
> that attempting to turn promiscuous mode off failed. The other BSDs
> should do better.)
>
> > The Ethereal documentation
> > states that the "pppdump" file format is supported. If someone has more
> > information on how this works, I would be greatly appreciative.
>
> The user-mode PPP daemon can be configured to save raw traffic on
> asynchronous serial lines to a file; those are the pppdump files.
--
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc
