Re: Patch to print out IP data in PPP HDLC packets

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Hannes Gredler, sie wrote:
> darren,
>
> can we have a .pcap sample showing such a frame for
> the /tests directory ?

I've semi-hand constructed this file because of privacy
concerns about the real data.

I've also included a new version of the patch (moved the
unescaping of HDLC data before looking at bytes after the
leading 0x7e.)

The output for me is like this (non-verbose):
17:38:55.122210 IP 10.0.17.34.1701 > 10.1.34.51.1701:  l2tp:[LP](2/1) {PPP-HDLC IP 10.17.34.51 > 10.17.51.68: GREv1call 
54429 seq 1515870810 ack 1515870810 gre-ppp-payload}
17:38:55.122210 IP 10.1.17.34.1701 > 10.17.34.51.1701:  l2tp:[L](24722/10922) {unknown PPP protocol (0x7ec0)}
        0x0000:  217d 295d 7d20 7d28 6089 ca54 ffaa}
17:38:55.122210 IP 10.17.34.51.1701 > 10.1.17.34.1701:  l2tp:[LP](2/4) {unknown PPP protocol (0x7eff)}
        0x0000:  03c0 210a 5d00 0852 4124 9e85 317e}
17:38:55.122210 IP 10.1.17.34.1701 > 10.17.34.51.1701:  l2tp:[L](24735/12328) {PPP-HDLC IP 10.1.34.51 > 10.17.34.51: 
GREv1call 17380 seq 90 gre-ppp-payload}
17:38:55.122210 IP 10.17.34.51.1701 > 10.1.17.34.1701:  l2tp:[LP](2/4) {unknown PPP protocol (0x7eff)}
        0x0000:  03c0 210a 5e00 0852 4124 9eeb 997e}
17:38:55.122210 IP 10.1.17.34.1701 > 10.17.34.51.1701:  l2tp:[L](24551/3750) {unknown PPP protocol (0x7eff)}
        0x0000:  7d23 c021 7d21 267d 207d 347d 227d 267d
        0x0010:  207d 207d 207d 207d 257d 2665 f1b2 377d
        0x0020:  277d 227d 287d 223c 6b7e}


Looks like a bug in print_unknown_data  ^^^ generating that }.
Or maybe not...If you remove the } I added after the (0x7e..),
it doesn't seem that out of place.

Darren

Attachment: hdlc.pcap
Description:

Attachment: pppdif
Description:

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.