tcpdump mailing list archives
Patch to print out IP data in PPP HDLC packets
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 1 Jul 2004 21:32:26 +1000 (EST)
I've been using this patch to print IP packets inside PPP HDLC
frames found in raw 1xRTT traffic. I've been able to find few
details on the actual PPP header format apart from what "0x7eff"
means and observing traffic for 0x7e21. The end result is extra
output of the form "{ PPP HDLC IP 1.2.3.4 > 2.3.4.5: GREv1call 0....}"
It may not be particularly efficient because it malloc's a new
buffer for each packet (rather than using a static buffer) but
better that than limit the program's capabilities w.r.t recursive
decoding was what I decided.
Darren
*** print-ppp.c.orig Wed Mar 24 14:30:06 2004
--- print-ppp.c Thu Jul 1 21:01:59 2004
***************
*** 370,375 ****
--- 370,376 ----
static int print_ccp_config_options (const u_char *p, int);
static int print_bacp_config_options (const u_char *p, int);
static void handle_ppp (u_int proto, const u_char *p, int length);
+ static int ppp_hdlc(const u_int proto, const u_char *p, int length);
/* generic Control Protocol (e.g. LCP, IPCP, CCP, etc.) handler */
static void
***************
*** 1052,1057 ****
--- 1053,1109 ----
}
+ static int
+ ppp_hdlc(const u_int proto, const u_char *p, int length)
+ {
+ u_char *b, *s, *t, c;
+ int i, l, offset;
+ const void *se;
+
+ switch (proto & 0xff)
+ {
+ case 0xff :
+ if (p[0] != 3 || p[1] != 0 || p[2] != 0x21)
+ return -1;
+ offset = 3;
+ break;
+ case 0x21 :
+ offset = 0;
+ break;
+ default :
+ return -1;
+ }
+
+ b = (u_char *)malloc(length);
+ if (b == NULL)
+ return -1;
+
+ /*
+ * Unescape all the data into a temporary, private, buffer.
+ * Do this so that we dont overwrite the original packet
+ * contents.
+ */
+ for (s = (u_char *)p + offset, t = b, i = length; i > 0; i--) {
+ c = *s++;
+ if (c == 0x7d) {
+ if (i > 1) {
+ i--;
+ c = *s++ ^ 0x20;
+ } else
+ continue;
+ }
+ *t++ = c;
+ }
+
+ printf("PPP-HDLC ");
+ se = snapend;
+ snapend = t;
+ ip_print(b, t - b);
+ snapend = se;
+ free(b);
+ }
+
+
/* PPP */
static void
handle_ppp(u_int proto, const u_char *p, int length)
***************
*** 1097,1105 ****
mpls_print(p, length);
break;
default:
! printf("unknown PPP protocol (0x%04x)", proto);
! print_unknown_data(p,"\n\t",length);
! break;
}
}
--- 1149,1159 ----
mpls_print(p, length);
break;
default:
! if (((proto >> 8) != 0x7e) || (ppp_hdlc(proto, p, length) == -1)) {
! printf("unknown PPP protocol (0x%04x)}", proto);
! print_unknown_data(p,"\n\t",length);
! }
! break;
}
}
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Guy Harris (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Stephen Donnelly (Jul 04)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 05)
- Re: Patch to print out IP data in PPP HDLC packets Guy Harris (Jul 05)
- Re: Patch to print out IP data in PPP HDLC packets Stephen Donnelly (Jul 04)