tcpdump mailing list archives

Re: Patch to print out IP data in PPP HDLC packets

From: Stephen Donnelly <stephen () endace com>
Date: Mon, 05 Jul 2004 08:54:00 +1200

Normally a NIC or interface providing access to an HDLC link/network wouldperform de-bytestuffing internally before the packets ever get to libpcap.Obviously de-bytestuffing a packet twice can corrupt data. Do we reallywant to have de-bytestuffing code in libpcap?

Surely at minimum it should be off by default and selectable as an optionperhaps, if necessary?


Stephen.

Hannes Gredler wrote:

On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote:
| I've been using this patch to print IP packets inside PPP HDLC
| frames found in raw 1xRTT traffic.  I've been able to find few
| details on the actual PPP header format apart from what "0x7eff"
| means and observing traffic for 0x7e21.  The end result is extra
| output of the form "{ PPP HDLC IP 1.2.3.4 > 2.3.4.5: GREv1call 0....}"

|| It may not be particularly efficient because it malloc's a new

| buffer for each packet (rather than using a static buffer) but
| better that than limit the program's capabilities w.r.t recursive
| decoding was what I decided.

|| Darren


darren,

thanks for your submission - i have checked in the attached patch;

/hannes


------------------------------------------------------------------------

Index: print-ppp.c
===================================================================
RCS file: /tcpdump/master/tcpdump/print-ppp.c,v
retrieving revision 1.95
diff -u -r1.95 print-ppp.c
--- print-ppp.c 2 Jul 2004 06:32:47 -0000       1.95
+++ print-ppp.c 2 Jul 2004 20:15:32 -0000
@@ -47,6 +47,7 @@

#include <pcap.h>

 #include <stdio.h>
+#include <stdlib.h>

#include "interface.h"

 #include "extract.h"
@@ -370,6 +371,7 @@
 static int print_ccp_config_options (const u_char *p, int);
 static int print_bacp_config_options (const u_char *p, int);
 static void handle_ppp (u_int proto, const u_char *p, int length);
+static void ppp_hdlc(const u_char *p, int length);

/* generic Control Protocol (e.g. LCP, IPCP, CCP, etc.) handler */

 static void
@@ -1052,10 +1054,81 @@
 }

+static void

+ppp_hdlc(const u_char *p, int length)
+{
+       u_char *b, *s, *t, c;
+       int i, proto;
+       const void *se;
+
+       b = (u_int8_t *)malloc(length);
+       if (b == NULL)
+               return;
+
+       /*
+        * Unescape all the data into a temporary, private, buffer.
+        * Do this so that we dont overwrite the original packet
+        * contents.
+        */
+       for (s = (u_char *)p, t = b, i = length; i > 0; i--) {
+               c = *s++;
+               if (c == 0x7d) {
+                       if (i > 1) {
+                               i--;
+                               c = *s++ ^ 0x20;
+                       } else
+                               continue;
+               }
+               *t++ = c;
+       }
+
+       se = snapend;
+       snapend = t;
+
+        /* now lets guess about the payload codepoint format */
+        proto = *b; /* start with a one-octet codepoint guess */

++ switch (proto) {

+        case PPP_IP:
+            ip_print(b+1, t - b - 1);
+            goto cleanup;
+#ifdef INET6
+        case PPP_IPV6:
+            ip6_print(b+1, t - b - 1);
+            goto cleanup;
+#endif
+        default: /* no luck - try next guess */
+            break;
+        }
+
+        proto = EXTRACT_16BITS(b); /* next guess - load two octets */
+
+        switch (proto) {
+        case 0xff03: /* looks like a PPP frame */
+            proto = EXTRACT_16BITS(b+2); /* load the PPP proto-id */
+            handle_ppp(proto, b+4, t - b - 4);
+            break;
+        default: /* last guess - proto must be a PPP proto-id */
+            handle_ppp(proto, b+2, t - b - 2);
+            break;
+        }
+
+cleanup:
+        snapend = se;
+       free(b);
+        return;
+}
+
+
 /* PPP */
 static void
 handle_ppp(u_int proto, const u_char *p, int length)
 {
+        if ((proto & 0xff00) == 0x7e00) {/* is this an escape code ? */
+            ppp_hdlc(p-1, length);
+            return;
+        }
+
        switch (proto) {
        case PPP_LCP:
        case PPP_IPCP:


--
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 01)
  - Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 01)
    - Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 02)
    - Re: Patch to print out IP data in PPP HDLC packets Guy Harris (Jul 02)
    - Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 02)
- Re: Patch to print out IP data in PPP HDLC packets Hannes Gredler (Jul 02)
  - Re: Patch to print out IP data in PPP HDLC packets Stephen Donnelly (Jul 04)
    - Re: Patch to print out IP data in PPP HDLC packets Darren Reed (Jul 05)
    - Re: Patch to print out IP data in PPP HDLC packets Guy Harris (Jul 05)