Re: multicast & icmp packet printing

[Guy Harris <guy () alum mit edu>]

On Thu, Mar 27, 2003 at 07:05:45AM -0800, Larry Platzek wrote:
> > On Wed, Mar 19, 2003 at 02:44:23PM -0800, Larry Platzek wrote:
> > > tcpdump -i ppp0 'ether[0] & 1 != 0'
> > > This shows the multicast packets.
> >
> > ppp0?  What's the definition of a "multicast packet" over PPP?
> Not really sure but anything from 224.???.???.???.

That's an IP multicast, but there's no such thing as a multicast at the
PPP level (that's what the first two "P"s in "PPP" imply).

Your capture was done on Linux; given various suckages in the way
PF_PACKET and PPP on Linux work together, it's done in "cooked mode",
which means that the first 2 bytes of the link-layer header are an
indication of the direction in which the packet was sent - 0 if
received, 4 if sent.

The first of those bytes is always 0, as the direction field is in host
byte order; "ether[0]" tests the first byte of the link-layer header
(regardless of whether it's an Ethernet header or not), and thus,
testing whether the bottommost bit of that byte is non-zero will match
*NO* packets - and, in fact, if I do

        tcpdump -n -r tcpdmp2.log 'ether[0] & 1 != 0'

on your capture, no packets show up.

"ether[0] & 1 != 0" would, *in an Ethernet capture*, test for
multicast/broadcast packets.  On a PPP capture, however, it would do no
such thing - and, as there's no notion of a multicast or broadcast
packet at the PPP layer, there is no test you can do, on a PPP link, to
find multicast packets at the link layer.  You'd have to check for
multicast IP addresses.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe