Re: Multiple Needles in Multiple Haystacks.

[Guy Harris <guy () alum mit edu>]

On Nov 17, 2016, at 7:29 AM, Zaphod Beeblebrox <zbeeble () gmail com> wrote:

> Fundamental to my problem is filtering the PPP inside L2TP.  Making this
> complex, the L2TP speakers I'm dealing with don't deliver at the same
> offsets.

...and libpcap's filter-to-BPF compiler doesn't have a "check for L2TP and, if you find it, make all filter tests after 
the match test the packet *inside* the L2TP packet" expression, the way it has for PPPoE, for example.

I'll see if I can spend some time looking at that.

> Something like "ppp[0:2] == 0x8021" should pull out the IPCP.  Or is
> that ppp[2:2] ... but neither works.  Some other reading that's hard to
> find would suggest something like "protochain l2tp and ppp proto 0x8021"
> ... but that doesn't work either.

That's because "protochain" only works for IPv4 and IPv6.

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers