tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Patch to print out IP data in PPP HDLC packets

From: Hannes Gredler <hannes () juniper net>
Date: Thu, 1 Jul 2004 14:20:37 +0200
darren,

can we have a .pcap sample showing such a frame for
the /tests directory ?

/hannes

On Thu, Jul 01, 2004 at 09:32:26PM +1000, Darren Reed wrote:
| I've been using this patch to print IP packets inside PPP HDLC
| frames found in raw 1xRTT traffic.  I've been able to find few
| details on the actual PPP header format apart from what "0x7eff"
| means and observing traffic for 0x7e21.  The end result is extra
| output of the form "{ PPP HDLC IP 1.2.3.4 > 2.3.4.5: GREv1call 0....}"
| 
| It may not be particularly efficient because it malloc's a new
| buffer for each packet (rather than using a static buffer) but
| better that than limit the program's capabilities w.r.t recursive
| decoding was what I decided.
| 
| Darren
| 
| *** print-ppp.c.orig  Wed Mar 24 14:30:06 2004
| --- print-ppp.c       Thu Jul  1 21:01:59 2004
| ***************
| *** 370,375 ****
| --- 370,376 ----
|   static int print_ccp_config_options (const u_char *p, int);
|   static int print_bacp_config_options (const u_char *p, int);
|   static void handle_ppp (u_int proto, const u_char *p, int length);
| + static int ppp_hdlc(const u_int proto, const u_char *p, int length);
|   
|   /* generic Control Protocol (e.g. LCP, IPCP, CCP, etc.) handler */
|   static void
| ***************
| *** 1052,1057 ****
| --- 1053,1109 ----
|   }
|   
|   
| + static int
| + ppp_hdlc(const u_int proto, const u_char *p, int length)
| + {
| +     u_char *b, *s, *t, c;
| +     int i, l, offset;
| +     const void *se;
| + 
| +     switch (proto & 0xff)
| +     {
| +     case 0xff :
| +             if (p[0] != 3 || p[1] != 0 || p[2] != 0x21)
| +                     return -1;
| +             offset = 3;
| +             break;
| +     case 0x21 :
| +             offset = 0;
| +             break;
| +     default :
| +             return -1;
| +     }
| + 
| +     b = (u_char *)malloc(length);
| +     if (b == NULL)
| +             return -1;
| + 
| +     /*
| +      * Unescape all the data into a temporary, private, buffer.
| +      * Do this so that we dont overwrite the original packet
| +      * contents.
| +      */
| +     for (s = (u_char *)p + offset, t = b, i = length; i > 0; i--) {
| +             c = *s++;
| +             if (c == 0x7d) {
| +                     if (i > 1) {
| +                             i--;
| +                             c = *s++ ^ 0x20;
| +                     } else
| +                             continue;
| +             }
| +             *t++ = c;
| +     }
| + 
| +     printf("PPP-HDLC ");
| +     se = snapend;
| +     snapend = t;
| +     ip_print(b, t - b);
| +     snapend = se;
| +     free(b);
| + }
| + 
| + 
|   /* PPP */
|   static void
|   handle_ppp(u_int proto, const u_char *p, int length)
| ***************
| *** 1097,1105 ****
|               mpls_print(p, length);
|               break;
|       default:
| !                 printf("unknown PPP protocol (0x%04x)", proto);
| !                 print_unknown_data(p,"\n\t",length);
| !                 break;
|       }
|   }
|   
| --- 1149,1159 ----
|               mpls_print(p, length);
|               break;
|       default:
| !             if (((proto >> 8) != 0x7e) || (ppp_hdlc(proto, p, length) == -1)) {
| !                     printf("unknown PPP protocol (0x%04x)}", proto);
| !                     print_unknown_data(p,"\n\t",length);
| !             }
| !             break;
|       }
|   }
|   
| -
| This is the tcpdump-workers list.
| Visit https://lists.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: