strip layers for pppoe and other layer #84
Comments
|
One thing you might want to try is setting the layer-2 decoder from the command line (Dshell defaults to ethernet.Ethernet). For example, you can try something along the lines of:
That --layer2 argument works by setting the first dpkt module to use when decoding a raw packet. In that example, we're telling it to use the PPP class in the ppp (Point-to-Point Protocol) module. I looked briefly at the dpkt source code for ppp.py, however, and noticed an unsettling I've never, personally, worked with that protocol before, so I don't have any pcap to test my recommendation out. Is there any possibility for you to share the pcap you're using? I understand if that's impossible, but it would help us figure out a solution if the problem persists. Let us know if that doesn't help, and we can dig further to figure something out for you. |
|
Here is an sample pcap with pppoe layer. I've tried the |
|
The --strip=n option is designed to remove extra Layer 2 headers before the IP header. In the case of PPPoE we have Ethernet( PPPoE( PPP( IP(...) ) ) ). Dshell's IP decoder expects Layer2( IP(...) ) so we need to remove 2 layers with The other gotcha is the default BPF filter for the DNS decoder is |
|
Thanks for that, strangely I get different output using the same capture file, see below:
|
|
1744f7a fixes that. Grab the latest master branch. |
Hi
I can't seem to get dshell working with pcaps saved to disk or traffic from an interface.
In wireshark the traffic has the pppoe layer above the ethernet layer, and another layer above the pppoe one, which wireshark calls 'Point-to-point Protocol' and is 2 bytes in length.
I've started dshell with --strip= all numbers from 1 to 6, with nothing happening, the pcap definitely has dns traffic in it. --strip requires an int, so what should I give it?
Many thanks
The text was updated successfully, but these errors were encountered: