title

Ask Wireshark - RSS feed

title

Capture filter pppoes does not work as expected

title

Answer by cmaynard for <p>Dear I try to capture packet from customer which has byte end by 1. my capture has two part : packet send and recevied. The first part like this :</p> <blockquote> <p>( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&amp;0x0f=0x01 )</p> </blockquote> <p>This capture filter works well The second part </p> <blockquote> <p>( ether src 00:00:00:00:00:01 and pppoes and ip[15:1]&amp;0x0f=0x01 )</p> </blockquote> <p>This capture filter works well also But when combine two of them : the filter bar is red ( seems that wrong syntax filter )</p> <blockquote> <p>( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&amp;0x0f=0x01 ) or ( ether src 00:00:00:00:00:01 and pppoes and ip[15:1]&amp;0x0f=0x01 )</p> </blockquote> <p>Please help me to fix the capture filter syntax Thank so much</p>

title

Comment by cmaynard for <div class="snippet"><p><em>What's needed is support for pppoes src and pppoes dst or some other work around.</em></p> <p>The work-around (and as far as I'm aware the <strong><em>only</em></strong> way to handle this) is to avoid using <strong>pppoes</strong>, at least in the first expression. What we need to be able to do is to construct the equivalent BPF without using <strong>pppoes</strong>. First, what does the BPF look like if we do use <strong>pppoes</strong>? Well, it looks like this:</p> <pre>dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&amp;0x0f=0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0 </pre> <p>What is this doing?</p> <ul> <li>First, it's checking that the Ethernet destination address is <code>00:00:00:00:00:01</code>. It's doing this in 2 parts: (1) the last 4 bytes is <code>00:00:00:01</code> and (2) the first 2 bytes are <code>00:00</code>. These are instructions 000-003.</li> <li>Second, it's checking that the Ethertype is 0x8864, which is the <a href="https://www.iana.org/assignments/ieee-802-numbers/ieee-802-numbers.xhtml">IANA-assigned Ethertype</a> for <em>"PPP over Ethernet (PPPoE) Session Stage"</em>. These are instructions 004-005.</li> <li>Third, it's checking that the <a href="https://datatracker.ietf.org/doc/html/rfc8822#section-2">PPP Protocol ID</a> is <a href="https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-2">IPv4</a>. These are instructions 006-007.</li> <li>Fourth, it's checking that the lower nibble of the last octet of the destination IP address is 1. These are instructions 008-010.</li> </ul> <p>(The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the lower nibble of the last octet of the IPv4 source address. That breakdown and analysis is left as an exercise for the reader.)</p> <p>To reproduce this same BPF without using the <strong>pppoes</strong> keyword then, we simply need to manually specify all the offsets. Here is such a filter that accomplishes that, with BFP included for comparison:</p> <pre>dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] &amp; 0x0f = 0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0 </pre> <p>Now all that's needed is to <code>or</code> the two expressions together. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the <strong>pppoes</strong> keyword:</p> <pre>dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] &amp; 0x0f = 0x01 ...</pre><span class="expander"> <a>(more)</a></span></div>

title

Comment by Chuckc for <div class="snippet"><p><em>What's needed is support for pppoes src and pppoes dst or some other work around.</em></p> <p>The work-around (and as far as I'm aware the <strong><em>only</em></strong> way to handle this) is to avoid using <strong>pppoes</strong>, at least in the first expression. What we need to be able to do is to construct the equivalent BPF without using <strong>pppoes</strong>. First, what does the BPF look like if we do use <strong>pppoes</strong>? Well, it looks like this:</p> <pre>dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&amp;0x0f=0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0 </pre> <p>What is this doing?</p> <ul> <li>First, it's checking that the Ethernet destination address is <code>00:00:00:00:00:01</code>. It's doing this in 2 parts: (1) the last 4 bytes is <code>00:00:00:01</code> and (2) the first 2 bytes are <code>00:00</code>. These are instructions 000-003.</li> <li>Second, it's checking that the Ethertype is 0x8864, which is the <a href="https://www.iana.org/assignments/ieee-802-numbers/ieee-802-numbers.xhtml">IANA-assigned Ethertype</a> for <em>"PPP over Ethernet (PPPoE) Session Stage"</em>. These are instructions 004-005.</li> <li>Third, it's checking that the <a href="https://datatracker.ietf.org/doc/html/rfc8822#section-2">PPP Protocol ID</a> is <a href="https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-2">IPv4</a>. These are instructions 006-007.</li> <li>Fourth, it's checking that the lower nibble of the last octet of the destination IP address is 1. These are instructions 008-010.</li> </ul> <p>(The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the lower nibble of the last octet of the IPv4 source address. That breakdown and analysis is left as an exercise for the reader.)</p> <p>To reproduce this same BPF without using the <strong>pppoes</strong> keyword then, we simply need to manually specify all the offsets. Here is such a filter that accomplishes that, with BFP included for comparison:</p> <pre>dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] &amp; 0x0f = 0x01" (000) ld [2] (001) jeq #0x1 jt 2 jf 12 (002) ldh [0] (003) jeq #0x0 jt 4 jf 12 (004) ldh [12] (005) jeq #0x8864 jt 6 jf 12 (006) ldh [20] (007) jeq #0x21 jt 8 jf 12 (008) ldb [41] (009) and #0xf (010) jeq #0x1 jt 11 jf 12 (011) ret #262144 (012) ret #0 </pre> <p>Now all that's needed is to <code>or</code> the two expressions together. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the <strong>pppoes</strong> keyword:</p> <pre>dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] &amp; 0x0f = 0x01 ...</pre><span class="expander"> <a>(more)</a></span></div>

link

link

link

link

link