In some email I received from Hannes Gredler, sie wrote: > i have some questions wrt to the format based on the .pcap > file that you supplied; > > the 1st byte 0x7e seems to introduce a HDLC frame; > > after that i can see 4 different frame formats:
Yes. I thought it might be useful to provide a set of the different frames I observed so you have a better grounding for testing, etc. > frame 1 0x0000: 2145 0000 6edc 5a00 006a 2f52 080a 1122 > 0x0010: 330a 1133 4430 8188 0b00 4ad4 9d5a 5a5a > 0x0020: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a > 0x0030: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a > 0x0040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a > 0x0050: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a > 0x0060: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a7d 5d7d > 0x0070: 5d > > this seems to be some sort of shortcut IP frame ... 21 being > codepoint for IPv4; should be use then 0x57 for IPv6 ? I don't know. Maybe? I've only coded printing of what I could see & understand. > frame 2 0x0000: c021 7d29 5d7d 207d 2860 89ca 54ff > > this looks like a LCP frame , correct ? so the second > format is a fully blown PPP proto-id; "don't know". I wasn't sure if the HDLC PPP should have LCP in it or not. I suppose it makes sense for it to do so. I couldn't find anything explicitly mentioning that frame format so I punted on it. > frame 6 0x0000: ff7d 23c0 217d 2126 7d20 7d34 7d22 7d26 > 0x0010: 7d20 7d20 7d20 7d20 7d25 7d26 65f1 b237 > 0x0020: 7d27 7d22 7d28 7d22 3c6b > > ok this one i have some problems with ... 0xc021 looks like LCP > again but what is 0xff7d23 ? The 7d23 is 03 encoded with bit-stuffing (see RFC 1662 as Guy pointed out.) Just one comment on the code - why not eliminate the "goto cleanup" by including the default case code inside the default switch ? As you know, goto's are evil ;) Maybe nested switch's are too :) Darren - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
