Wireshark-users: Re: [Wireshark-users] decoding packet data payload?
From: "Sheahan, John" <John.Sheahan@xxxxxxxxxxxxx>
Date: Sun, 4 May 2008 08:23:21 -0400
Title: [Wireshark-users] decoding packet data payload?
years ago and before the days of either Wireshark or Ethereal, I had to purchase a serial interface pod from Network General which was the only way I could look at HDLC going over my serial interface. HDLC and PPP on a Cisco router for instance, are both data link protocols and don't use TCP.  
I'm not sure what userppp gives you put perhaps it is some kind of version of ppp over tcp? If this is the case, I would think that you should be able to drill down in the TCP packet and see what's happening?
john

From: wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Malcolm Herbert
Sent: Sun 5/4/2008 6:05 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] decoding packet data payload?

I have a captured PPP session inside a TCP stream created by userppp
with a TCP connection being used as the PPP transport instead of the
serial port[1].

I have the entire TCP packet capture and can see the complete HDLC-like
PPP frames inside the TCP data payload - I'd like wireshark to
interpret this for me as I'm interested in seeing PPP at work.

Ultimately I'd like to get at the TCP data running inside that as well,
but this is less important at the moment.

This sounds like it should be a simple thing to achieve ... except that
I haven't yet found any references to doing this in the FAQ or from
elsewhere on the web.  How would I go about it?

I had thought wireshark would support this behaviour by default as     
there are many cases where protocols encapsulate others - IPIP or IPSec
over TCP come to mind here ...                                                       

Alternately, since I'm wanting to look at PPP, would it be better to
capture the PPP session directly from a serial link somehow?

To my mind, capturing the session with wireshark or tcpdump when TCP
was the transport was the way to go, but if I can't get at the data
inside the TCP payload then there's not a lot of point ... :)

Regards,
Malcolm

[1] this is not the same thing as PPPoE as far as I understand it ...

--
Malcolm Herbert                                This brain intentionally
mjch@xxxxxxxx                                                left blank
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users