tcpdump mailing list archives
Re: core dump with PPP messages 1 byte long.
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 7 Jul 2004 16:21:39 +1000 (EST)
I believe the sessions I am seeing start out with a conversation like this:
IP 1.1.1.1.1701 > 2.2.2.2.1701: l2tp:[TLS](24460/0)Ns=23236,Nr=646 *MSGTYPE(HELLO)
IP 2.2.2.2.1701 > 1.1.1.1.1701: l2tp:[TLS](4/0)Ns=646,Nr=23237 ZLB
IP 1.1.1.1.1701 > 2.2.2.2.1701: l2tp:[TLS](24460/0)Ns=23237,Nr=646 *MSGTYPE(HELLO)
IP 2.2.2.2.1701 > 1.1.1.1.1701: l2tp:[TLS](4/0)Ns=646,Nr=23238 ZLB
IP 1.1.1.1.1701 > 2.2.2.2.1701: l2tp:[TLS](24460/0)Ns=23238,Nr=646 *MSGTYPE(ICRQ) *ASSND_SESS_ID(3) *CALL_SER_NUM(4)
*CALLING_NUMBER(000000000000000) *SUB_ADDRESS(ABCD) *VENDOR0c7f:ATTR0067(000000000000000000000000)
*VENDOR0c7f:ATTR0065(0000)
IP 2.2.2.2.1701 > 1.1.1.1.1701: l2tp:[TLS](4/0)Ns=646,Nr=23239 ZLB
IP 2.2.2.2.1701 > 1.1.1.1.1701: l2tp:[TLS](4/3)Ns=646,Nr=23239 *MSGTYPE(ICRP) *ASSND_SESS_ID(3222)
IP 1.1.1.1.1701 > 2.2.2.2.1701: l2tp:[TLS](24460/3222)Ns=23239,Nr=647 *MSGTYPE(ICCN) *TX_CONN_SPEED(156000)
*FRAMING_TYPE(A) *VENDOR0c7f:ATTR0066(00000000000000000000000000) RX_CONN_SPEED(156000)
IP 2.2.2.2.1701 > 1.1.1.1.1701: l2tp:[LP](4/3) {LCP, Conf-Request (0x01), id 190, Magic-Num (5) 0x1fecaee1, MRU (1)
1500, ACCM (2) 0x00000000, Auth-Prot (3) CHAP, MD5, length 28}
IP 2.2.2.2.1701 > 1.1.1.1.1701: l2tp:[TLS](4/0)Ns=647,Nr=23240 ZLB
IP 1.1.1.1.1701 > 2.2.2.2.1701: l2tp:[TLS](24460/0)Ns=23240,Nr=647 ZLB
IP 1.1.1.1.1701 > 2.2.2.2.1701: l2tp:[L](24460/3222) {LCP, Conf-Request (0x01), id 6, ACCM (2) 0x00000000, Magic-Num
(5) 0x65f355dd, PFC (7), ACFC (8), length 23}
(sorry about all the 0's and IP#'s but...)
The closest thing I can find that comes close to what I'm looking at is:
http://www.ericsson.com/about/publications/review/2001_02/files/2001025.pdf
If ppp_hdlc() is called with length < 2, bad things happen.Should it be called *at all* from "handle_ppp()"?
The reason I've described it as L2TP/PPP with HDLC encoding inside that is that when I look at the files with ethereal, I see +Frame +Ethernet II +Internet Protocol +User Datagram Protocol +Layer 2 Tunneling Protocol +Point-to-Point Protocol Data (x bytes) Ethereal already understands GTP/GPRS (the other protocols I'm looking at.) But all of the real CDMA/1xRTT stuff is ITU defined (= $$ to obtain.)
Or is that heuristic insufficient - in the example you gave, you indicate that the packet might be an empty PPP_VJNC packet rather than an HDLC-over-L2TP packet?
The example that caused the crash is what I would interpret to be an empty PPP_VJNC packet encoded with HDLC sent over L2TP. Darren - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- core dump with PPP messages 1 byte long. Darren Reed (Jul 05)
- Re: core dump with PPP messages 1 byte long. Guy Harris (Jul 06)
- Re: core dump with PPP messages 1 byte long. Darren Reed (Jul 06)
- Re: core dump with PPP messages 1 byte long. Guy Harris (Jul 07)
- Re: core dump with PPP messages 1 byte long. Darren Reed (Jul 07)
- Re: core dump with PPP messages 1 byte long. Motonori Shindo (Jul 08)
- Re: core dump with PPP messages 1 byte long. Darren Reed (Jul 06)
- Re: core dump with PPP messages 1 byte long. Guy Harris (Jul 06)