Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-10-27 14:51:50 +0000

Chuckc gravatar image

This is worthy of an issue on the tcpdump Github issues.

After the first pppoes, the packet is no longer considered to be Ethernet (type 0x0800) so the second ether is not valid. What's needed is support for pppoes src and pppoes dst or some other work around.

To look at inside of a capture filter, use dumpcap -d to dump the byte code for the filter:

~$ dumpcap.exe -i 5 -d -f "( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 )"
Capturing on 'Ethernet'
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

After the pppoes it is no longer considered Ethernet 0x0800 so the second ether src fails.

~$ dumpcap.exe -i 5 -d -f "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 ) or (ether src 00:00:00:00:00:01))"
Capturing on 'Ethernet'
dumpcap: Invalid capture filter "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01
 ) or (ether src 00:00:00:00:00:01))" for interface '\Device\NPF_xxx'.

That string isn't a valid capture filter (ethernet addresses supported only on ethernet/FDDI/toke
n ring/802.11/ATM LANE/Fibre Channel).
See the User's Guide for a description of the capture filter syntax.

If libpcap supported frame protocol to look at byte level then a lower level filter for the src and dst addresses could be created but it doesn't so you can't.
(pcap-filter.7 - syntax for capture filters)

This is worthy of an issue on the tcpdump libpcap Github issues.

After the first pppoes, the packet is no longer considered to be Ethernet (type 0x0800) so the second ether is not valid. What's needed is support for pppoes src and pppoes dst or some other work around.

To look at inside of a capture filter, use dumpcap -d to dump the byte code for the filter:

~$ dumpcap.exe -i 5 -d -f "( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 )"
Capturing on 'Ethernet'
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

After the pppoes it is no longer considered Ethernet 0x0800 so the second ether src fails.

~$ dumpcap.exe -i 5 -d -f "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 ) or (ether src 00:00:00:00:00:01))"
Capturing on 'Ethernet'
dumpcap: Invalid capture filter "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01
 ) or (ether src 00:00:00:00:00:01))" for interface '\Device\NPF_xxx'.

That string isn't a valid capture filter (ethernet addresses supported only on ethernet/FDDI/toke
n ring/802.11/ATM LANE/Fibre Channel).
See the User's Guide for a description of the capture filter syntax.

If libpcap supported frame protocol to look at byte level then a lower level filter for the src and dst addresses could be created but it doesn't so you can't.
(pcap-filter.7 - syntax for capture filters)

This is worthy of an issue on the libpcap Github issues.

After the first pppoes, the packet is no longer considered to be Ethernet (type 0x0800) so the second ether is not valid. What's needed is support for pppoes src and pppoes dst or some other work around.

To look at inside of a capture filter, use dumpcap -d to dump the byte code for the filter:

~$ dumpcap.exe -i 5 -d -f "( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 )"
Capturing on 'Ethernet'
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

The check of [12] for #0x8864 is looking for pppoes in the Ethernet Type bytes.

After the pppoes it is no longer considered Ethernet 0x0800 so the second ether src fails.

~$ dumpcap.exe -i 5 -d -f "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01 ) or (ether src 00:00:00:00:00:01))"
Capturing on 'Ethernet'
dumpcap: Invalid capture filter "(( ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01
 ) or (ether src 00:00:00:00:00:01))" for interface '\Device\NPF_xxx'.

That string isn't a valid capture filter (ethernet addresses supported only on ethernet/FDDI/toke
n ring/802.11/ATM LANE/Fibre Channel).
See the User's Guide for a description of the capture filter syntax.

If libpcap supported frame protocol to look at byte level then a lower level filter for the src and dst addresses could be created but it doesn't so you can't.
(pcap-filter.7 - syntax for capture filters)

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2