Re: multicast & icmp packet printing

[Larry Platzek <larryp () inow com>]

On Thu, 27 Mar 2003, Guy Harris wrote:

> Date: Thu, 27 Mar 2003 12:07:00 -0800
> From: Guy Harris <guy () alum mit edu>
> To: Larry Platzek <larryp () inow com>
> Cc: tcpdump-workers () tcpdump org
> Subject: Re: [tcpdump-workers] multicast & icmp packet printing
>
> On Thu, Mar 27, 2003 at 07:05:45AM -0800, Larry Platzek wrote:
> > > On Wed, Mar 19, 2003 at 02:44:23PM -0800, Larry Platzek wrote:
> > > > tcpdump -i ppp0 'ether[0] & 1 != 0'
> > > > This shows the multicast packets.
> > >
> > > ppp0?  What's the definition of a "multicast packet" over PPP?
> > Not really sure but anything from 224.???.???.???.
>
> That's an IP multicast, but there's no such thing as a multicast at the
> PPP level (that's what the first two "P"s in "PPP" imply).
>
> Your capture was done on Linux; given various suckages in the way
> PF_PACKET and PPP on Linux work together, it's done in "cooked mode",
> which means that the first 2 bytes of the link-layer header are an
> indication of the direction in which the packet was sent - 0 if
> received, 4 if sent.
>
> The first of those bytes is always 0, as the direction field is in host
> byte order; "ether[0]" tests the first byte of the link-layer header
> (regardless of whether it's an Ethernet header or not), and thus,
> testing whether the bottommost bit of that byte is non-zero will match
> *NO* packets - and, in fact, if I do
>
>       tcpdump -n -r tcpdmp2.log 'ether[0] & 1 != 0'
>
> on your capture, no packets show up.
>
> "ether[0] & 1 != 0" would, *in an Ethernet capture*, test for
> multicast/broadcast packets.  On a PPP capture, however, it would do no
> such thing - and, as there's no notion of a multicast or broadcast
> packet at the PPP layer, there is no test you can do, on a PPP link, to
> find multicast packets at the link layer.  You'd have to check for
> multicast IP addresses.

Thank You Guy!
I like getting an answer, PLUS the why!
I tried using 'ip[16]=224' which seems to work also tried 'ip multicast'
and that seems to work. Is one method better than the other?

I think the expression I want is 'ip multicast or icmp[0] =8 or icmp[0]=0'
this seems to be working for tcpdump.

I need to take the expression and place it on pppd's active-filter
statement to allow idle timeout to happen. The ip multicast does work as
long as icmp echo requests and echo replies are not sent.
I would be happy for an answer to make pppd work correctly but I know that
this is off topic for this list.


Larry Platzek  larryp () inow com

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe