In some email I received from Hannes Gredler, sie wrote: > darren, > > can we have a .pcap sample showing such a frame for > the /tests directory ?
I've semi-hand constructed this file because of privacy
concerns about the real data.
I've also included a new version of the patch (moved the
unescaping of HDLC data before looking at bytes after the
leading 0x7e.)
The output for me is like this (non-verbose):
17:38:55.122210 IP 10.0.17.34.1701 > 10.1.34.51.1701: l2tp:[LP](2/1) {PPP-HDLC IP
10.17.34.51 > 10.17.51.68: GREv1call 54429 seq 1515870810 ack 1515870810
gre-ppp-payload}
17:38:55.122210 IP 10.1.17.34.1701 > 10.17.34.51.1701: l2tp:[L](24722/10922) {unknown
PPP protocol (0x7ec0)}
0x0000: 217d 295d 7d20 7d28 6089 ca54 ffaa}
17:38:55.122210 IP 10.17.34.51.1701 > 10.1.17.34.1701: l2tp:[LP](2/4) {unknown PPP
protocol (0x7eff)}
0x0000: 03c0 210a 5d00 0852 4124 9e85 317e}
17:38:55.122210 IP 10.1.17.34.1701 > 10.17.34.51.1701: l2tp:[L](24735/12328)
{PPP-HDLC IP 10.1.34.51 > 10.17.34.51: GREv1call 17380 seq 90 gre-ppp-payload}
17:38:55.122210 IP 10.17.34.51.1701 > 10.1.17.34.1701: l2tp:[LP](2/4) {unknown PPP
protocol (0x7eff)}
0x0000: 03c0 210a 5e00 0852 4124 9eeb 997e}
17:38:55.122210 IP 10.1.17.34.1701 > 10.17.34.51.1701: l2tp:[L](24551/3750) {unknown
PPP protocol (0x7eff)}
0x0000: 7d23 c021 7d21 267d 207d 347d 227d 267d
0x0010: 207d 207d 207d 207d 257d 2665 f1b2 377d
0x0020: 277d 227d 287d 223c 6b7e}
Looks like a bug in print_unknown_data ^^^ generating that }.
Or maybe not...If you remove the } I added after the (0x7e..),
it doesn't seem that out of place.
Darren
hdlc.pcap
Description: Binary data
*** print-ppp.c.orig Wed Mar 24 14:30:06 2004
--- print-ppp.c Thu Jul 1 21:01:59 2004
***************
*** 370,375 ****
--- 370,376 ----
static int print_ccp_config_options (const u_char *p, int);
static int print_bacp_config_options (const u_char *p, int);
static void handle_ppp (u_int proto, const u_char *p, int length);
+ static int ppp_hdlc(const u_int proto, const u_char *p, int length);
/* generic Control Protocol (e.g. LCP, IPCP, CCP, etc.) handler */
static void
***************
*** 1052,1057 ****
--- 1053,1109 ----
}
+ static int
+ ppp_hdlc(const u_int proto, const u_char *p, int length)
+ {
+ u_char *b, *s, *t, c;
+ int i, l, offset;
+ const void *se;
+
+ switch (proto & 0xff)
+ {
+ case 0xff :
+ if (p[0] != 3 || p[1] != 0 || p[2] != 0x21)
+ return -1;
+ offset = 3;
+ break;
+ case 0x21 :
+ offset = 0;
+ break;
+ default :
+ return -1;
+ }
+
+ b = (u_char *)malloc(length);
+ if (b == NULL)
+ return -1;
+
+ /*
+ * Unescape all the data into a temporary, private, buffer.
+ * Do this so that we dont overwrite the original packet
+ * contents.
+ */
+ for (s = (u_char *)p + offset, t = b, i = length; i > 0; i--) {
+ c = *s++;
+ if (c == 0x7d) {
+ if (i > 1) {
+ i--;
+ c = *s++ ^ 0x20;
+ } else
+ continue;
+ }
+ *t++ = c;
+ }
+
+ printf("PPP-HDLC ");
+ se = snapend;
+ snapend = t;
+ ip_print(b, t - b);
+ snapend = se;
+ free(b);
+ }
+
+
/* PPP */
static void
handle_ppp(u_int proto, const u_char *p, int length)
***************
*** 1097,1105 ****
mpls_print(p, length);
break;
default:
! printf("unknown PPP protocol (0x%04x)", proto);
! print_unknown_data(p,"\n\t",length);
! break;
}
}
--- 1149,1159 ----
mpls_print(p, length);
break;
default:
! if (((proto >> 8) != 0x7e) || (ppp_hdlc(proto, p, length) == -1)) {
! printf("unknown PPP protocol (0x%04x)", proto);
! print_unknown_data(p,"\n\t",length);
! }
! break;
}
}
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
