tcpdump mailing list archives
Re: Patch to print out IP data in PPP HDLC packets
From: Hannes Gredler <hannes () juniper net>
Date: Fri, 2 Jul 2004 20:07:12 +0200
darren,
see questions/responses inline;
On Fri, Jul 02, 2004 at 01:28:20AM +1000, Darren Reed wrote:
| In some email I received from Hannes Gredler, sie wrote:
| > darren,
| >
| > can we have a .pcap sample showing such a frame for
| > the /tests directory ?
|
| I've semi-hand constructed this file because of privacy
| concerns about the real data.
you can send it to me unicast then i am not going to publish it;
--
i have some questions wrt to the format based on the .pcap
file that you supplied;
the 1st byte 0x7e seems to introduce a HDLC frame;
after that i can see 4 different frame formats:
frame 1 0x0000: 2145 0000 6edc 5a00 006a 2f52 080a 1122
0x0010: 330a 1133 4430 8188 0b00 4ad4 9d5a 5a5a
0x0020: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0030: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0050: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0060: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a7d 5d7d
0x0070: 5d
this seems to be some sort of shortcut IP frame ... 21 being
codepoint for IPv4; should be use then 0x57 for IPv6 ?
frame 2 0x0000: c021 7d29 5d7d 207d 2860 89ca 54ff
this looks like a LCP frame , correct ? so the second
format is a fully blown PPP proto-id;
frame 3 0x0000: ff03 c021 0a5d 0008 5241 249e 8531
looks like a regular PPP frame ... 0xff03 followed by a proto-id
frame 4 0x0000: ff03 0021 4500 0067 616e 0000 802f 0000
0x0010: 0a01 2233 0a11 2233 3001 880b 0047 43e4
0x0020: 0000 005a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0030: 5a5a 5a5a 5a5a 5a5a 5a7d 5e5a 5a5a 5a5a
0x0040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a
0x0050: 5a5a 5a5a 5a5a 5a5a 5a5a 5a7d 5d5a 5a5a
0x0060: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a}
frame 5 0x0000: ff03 c021 0a5e 0008 5241 249e eb99
same as 4 ...
frame 6 0x0000: ff7d 23c0 217d 2126 7d20 7d34 7d22 7d26
0x0010: 7d20 7d20 7d20 7d20 7d25 7d26 65f1 b237
0x0020: 7d27 7d22 7d28 7d22 3c6b
ok this one i have some problems with ... 0xc021 looks like LCP
again but what is 0xff7d23 ?
except like frame 6 i would formulate the encoding logic like:
test for 0xff03 -> call ppp_print()
test for 0x21 -> call ip_print()
test for 0x57 -> call ip6print()
default: -> call ppp_handle()
---
could you maybe also provide a pointer to a spec where the escaping
routines and or the 0x7e escape hack is described ?
wrt the curly bracket at the end of the hexdump -that not a bug
this is an artifact of the l2tp dissector and i'll also have
a look at that;
/hannes
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Guy Harris (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Stephen Donnelly (Jul 04)
- Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 05)
- Re: Patch to print out IP data in PPP HDLC packets Guy Harris (Jul 05)
- Re: Patch to print out IP data in PPP HDLC packets Stephen Donnelly (Jul 04)