tcpdump mailing list archives
Re: New DLT needed for PPP active/passiv filtering
From: Hannes Gredler <hannes () juniper net>
Date: Wed, 18 Aug 2004 16:23:56 +0200
karsten,
i have checked in support for the new DLT_PPP_WITH_DIRECTION (166) and
LINKTYPE_PPP_WITH_DIRECTION (166)
also i tweaked libpcap to treat it like PPP plus support of
the inbound/outbound tokens;
see below testresults ...
# ./tcpdump -dr ppp-dlt166.pcap "inbound"
reading from file ppp-dlt166.pcap, link-type 166
(000) ldb [0]
(001) jeq #0x0 jt 2 jf 3
(002) ret #4474
(003) ret #0
# ./tcpdump -dr ppp-dlt166.pcap "outbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldb [0]
(001) jeq #0x1 jt 2 jf 3
(002) ret #4474
(003) ret #0
# ./tcpdump -dr ppp-dlt166.pcap "ip && inbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldh [2]
(001) jeq #0x21 jt 2 jf 5
(002) ldb [0]
(003) jeq #0x0 jt 4 jf 5
(004) ret #4474
(005) ret #0
# ./tcpdump -dr ppp-dlt166.pcap "ip && outbound"
reading from file ppp/ppp-dlt166.pcap, link-type 166
(000) ldh [2]
(001) jeq #0x21 jt 2 jf 5
(002) ldb [0]
(003) jeq #0x1 jt 4 jf 5
(004) ret #4474
(005) ret #0
let me know if this fits your needs;
/hannes
On Wed, Aug 18, 2004 at 02:23:21PM +0200, Karsten Keil wrote:
| It was here in the PPP filter context. The normal 4 byte header looks like:
|
| FF 03 <P1> <P2> P1 P2 give a 16 bit protocol ID for identyfy the data
| following the haeder, which maybe PPP control data or IP/IPX payload data.
| Since the PPP filtering is only called for IP/IPX payload frames, the
| constant FF byte was redefined as IN/OUT Flag (1 := OUT, 0:= IN).
| Note: The Filter is called after doing all decompression, so its allways
| a simple PPP payload data frame (in case of outgoing, it is called before
| doing compression or add multilink headers).
|
| >
| > Note also that, for any DLT_PPP packets that *did* have an extra first
| > byte in the header, any *other* filter expression wouldn't work, as the
| > rest of the code for PPP assumed that it *wasn't* there.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 17)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Guy Harris (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 19)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 19)
- anoncvs for tcpdump.org. Michael Richardson (Aug 19)
- Re: anoncvs for tcpdump.org. Karsten Keil (Aug 19)
- no anoncvs and no CVS snapshoots available Karsten Keil (Aug 21)
- Re: New DLT needed for PPP active/passiv filtering Karsten Keil (Aug 18)
- Re: New DLT needed for PPP active/passiv filtering Hannes Gredler (Aug 17)