Revision history [back]

What's needed is support for pppoes src and pppoes dst or some other work around.

The work-around (and as far as I'm aware the only way to handle this) is to avoid using pppoes, at least in the first expression. What we need to be able to do is to construct the equivalent BPF without using pppoes. First, what does the BPF look like if we do use pppoes? Well, it looks like this:

dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

What is this doing?

• First, it's checking that the Ethernet destination address is 00:00:00:00:00:01. It's doing this in 2 parts: (1) the last 4 bytes is 00:00:00:01 and (2) the first 2 bytes are 00:00. These are instructions 000-003.
• Second, it's checking that the Ethertype is 0x8864, which is the IANA-assigned Ethertype for "PPP over Ethernet (PPPoE) Session Stage". These are instructions 004-005.
• Third, it's checking that the PPP Protocol ID is IPv4. These are instructions 006-007.
• Fourth, it's checking that the last octet of the destination IP address is odd, i.e., "ends in 1". These are instructions 008-010.

(The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the last octet of the IPv4 source address. That breakdown and analysis is left as an exercise for the reader.)

To reproduce this same BPF without using the pppoes keyword then, we simply need to manually specify all the offsets. Here is such a filter that accomplishes that, with BFP included for comparison:

dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

Now all that's needed is to or the two expressions together. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the pppoes keyword:

dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and pppoes and ip[15:1] & 0x0f =0x01)"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 11
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 11
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 11
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 11
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 22   jf 11
(011) ld       [8]
(012) jeq      #0x1             jt 13   jf 23
(013) ldh      [6]
(014) jeq      #0x0             jt 15   jf 23
(015) ldh      [12]
(016) jeq      #0x8864          jt 17   jf 23
(017) ldh      [20]
(018) jeq      #0x21            jt 19   jf 23
(019) ldb      [37]
(020) and      #0xf
(021) jeq      #0x1             jt 22   jf 23
(022) ret      #262144
(023) ret      #0

And the second way, without using the pppoes keyword at all:

dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[37:1] & 0x0f = 0x01)"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 11
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 11
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 11
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 11
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 22   jf 11
(011) ld       [8]
(012) jeq      #0x1             jt 13   jf 23
(013) ldh      [6]
(014) jeq      #0x0             jt 15   jf 23
(015) ldh      [12]
(016) jeq      #0x8864          jt 17   jf 23
(017) ldh      [20]
(018) jeq      #0x21            jt 19   jf 23
(019) ldb      [37]
(020) and      #0xf
(021) jeq      #0x1             jt 22   jf 23
(022) ret      #262144
(023) ret      #0

What's needed is support for pppoes src and pppoes dst or some other work around.

The work-around (and as far as I'm aware the only way to handle this) is to avoid using pppoes, at least in the first expression. What we need to be able to do is to construct the equivalent BPF without using pppoes. First, what does the BPF look like if we do use pppoes? Well, it looks like this:

dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and pppoes and ip[19:1]&0x0f=0x01"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

What is this doing?

• First, it's checking that the Ethernet destination address is 00:00:00:00:00:01. It's doing this in 2 parts: (1) the last 4 bytes is 00:00:00:01 and (2) the first 2 bytes are 00:00. These are instructions 000-003.
• Second, it's checking that the Ethertype is 0x8864, which is the IANA-assigned Ethertype for "PPP over Ethernet (PPPoE) Session Stage". These are instructions 004-005.
• Third, it's checking that the PPP Protocol ID is IPv4. These are instructions 006-007.
• Fourth, it's checking that the lower nibble of the last octet of the destination IP address is odd, i.e., "ends in 1". 1. These are instructions 008-010.

(The breakdown of the other expression is quite similar, except for the changes to the offsets for comparing the Ethernet source address and the lower nibble of the last octet of the IPv4 source address. That breakdown and analysis is left as an exercise for the reader.)

To reproduce this same BPF without using the pppoes keyword then, we simply need to manually specify all the offsets. Here is such a filter that accomplishes that, with BFP included for comparison:

dumpcap.exe -d -f "ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 12
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 12
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 12
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 12
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 11   jf 12
(011) ret      #262144
(012) ret      #0

Now all that's needed is to or the two expressions together. This can be done in 1 of 2 ways, the first being a bit easier because now we can use the pppoes keyword:

dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and pppoes and ip[15:1] & 0x0f =0x01)"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 11
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 11
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 11
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 11
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 22   jf 11
(011) ld       [8]
(012) jeq      #0x1             jt 13   jf 23
(013) ldh      [6]
(014) jeq      #0x0             jt 15   jf 23
(015) ldh      [12]
(016) jeq      #0x8864          jt 17   jf 23
(017) ldh      [20]
(018) jeq      #0x21            jt 19   jf 23
(019) ldb      [37]
(020) and      #0xf
(021) jeq      #0x1             jt 22   jf 23
(022) ret      #262144
(023) ret      #0

And the second way, without using the pppoes keyword at all:

dumpcap.exe -d -f "(ether dst 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[41:1] & 0x0f = 0x01) or (ether src 00:00:00:00:00:01 and ether[12:2] = 0x8864 and ether[20:2] = 0x0021 and ether[37:1] & 0x0f = 0x01)"
(000) ld       [2]
(001) jeq      #0x1             jt 2    jf 11
(002) ldh      [0]
(003) jeq      #0x0             jt 4    jf 11
(004) ldh      [12]
(005) jeq      #0x8864          jt 6    jf 11
(006) ldh      [20]
(007) jeq      #0x21            jt 8    jf 11
(008) ldb      [41]
(009) and      #0xf
(010) jeq      #0x1             jt 22   jf 11
(011) ld       [8]
(012) jeq      #0x1             jt 13   jf 23
(013) ldh      [6]
(014) jeq      #0x0             jt 15   jf 23
(015) ldh      [12]
(016) jeq      #0x8864          jt 17   jf 23
(017) ldh      [20]
(018) jeq      #0x21            jt 19   jf 23
(019) ldb      [37]
(020) and      #0xf
(021) jeq      #0x1             jt 22   jf 23
(022) ret      #262144
(023) ret      #0