Wireshark mailing list archives

Re: Filtering pppoe packets

From: msher3 () gmail com
Date: Wed, 2 Jun 2010 19:06:55 +0200

Thanks alot,
Following your advice I could actually capture...
One question is still opened though-
Are the offsets of the internal fields of the packets(like *ipheader, *udp
etc) also shifted comparing to those under standard packets?
Regards
I. Lesher


On Wed, Jun 2, 2010 at 10:01 AM, Guy Harris <guy () alum mit edu> wrote:

If you're capturing traffic on an Ethernet interface, and some or all of
that traffic is PPPoE (rather than, for example, capturing on a PPP device
that happens to use PPPoE), to filter on the PPPoE content you have to do

       pppoes and {filter}

so that, for example, if you want all UDP PPPoE traffic, you need to say

       pppoes and udp

The pcap-filter man page in libpcap 1.0.0 and later (and the tcpdump man
page for the pre-4.0 versions of tcpdump released at the same time as
pre-1.0 versions of libpcap) says:

      pppoes True if the packet is a PPP-over-Ethernet Session packet
(Ether-
             net  type  0x8864).   Note that the first pppoes keyword
encoun-
             tered in expression changes the decoding offsets for the
remain-
             der  of  expression on the assumption that the packet is a
PPPoE
             session packet.

             For example:
                  pppoes && ip
             filters IPv4 protocols encapsulated in PPPoE.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Filtering pppoe packets msher3 (Jun 01)
- Re: Filtering pppoe packets Guy Harris (Jun 02)
  - Re: Filtering pppoe packets msher3 (Jun 02)
    - Re: Filtering pppoe packets Guy Harris (Jun 02)