tcpdump mailing list archives
Multiple Needles in Multiple Haystacks.
From: Zaphod Beeblebrox <zbeeble () gmail com>
Date: Thu, 17 Nov 2016 10:29:13 -0500
So... I have some malfunctioning L2TP servers. Not your problem. I would like to get a packet dump of just L2TP control packets + L2TP packets containing PPP packets of LCP, IPCP, IP6CP and PAP. I would also (less important) like to filter out LCP echo/reply. This is why I'm writing to this list. I can capture _all_ the packets and get wireshark to trim it down, but the problem I have with that is the firehose it represents. Fundamental to my problem is filtering the PPP inside L2TP. Making this complex, the L2TP speakers I'm dealing with don't deliver at the same offsets. I'm attaching a small pcap file that has the packets I want to accept for reference. Something like "ppp[0:2] == 0x8021" should pull out the IPCP. Or is that ppp[2:2] ... but neither works. Some other reading that's hard to find would suggest something like "protochain l2tp and ppp proto 0x8021" ... but that doesn't work either. I realize that one of ppp[2:2] or ppp[0:2] is going to be equivalent to ppp proto 0x8021, but the part that's not working is relating to the function of protochain. Help? If you're Canadian (I see this list is associated with someone on Ottawa) I can offer 3 months of free DSL... or a whole year if you materially help me fix MPD on FreeBSD. I'm a fully open-source ISP ... Zaphod. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Multiple Needles in Multiple Haystacks. Zaphod Beeblebrox (Nov 17)
- Re: Multiple Needles in Multiple Haystacks. Michael Richardson (Nov 17)
- Re: Multiple Needles in Multiple Haystacks. Guy Harris (Nov 17)