[Winpcap-users] how to filter pppoe packets?
Guy Harris
guy at alum.mit.edu
Tue Jul 29 17:34:30 GMT 2008
On Jul 29, 2008, at 9:34 AM, Umesh Chandra Sahoo wrote:
> Can anyone let me know what will be the filtering string for the
> packets of pppoe?
> I am able to find out the filtering string for valn capture files.
> i.e.- “valn and tcp”
Presumably you mean "vlan", not "valn".
There are two kinds of PPPoE packets - PPPoE discovery packets, with
an Ethernet type of 0x8863, and PPPoE session packets, with an
Ethernet type of 0x8864.
At least in WinPcap 4.0.2 and later versions:
to capture PPPoE discovery packets, the filter string is "pppoed";
to capture PPPoE session packets, the filter string is "pppoes", and
it acts like "vlan" in that it changes the way the tests following it
in the expression work.
That's not documented in the WinPcap 4.0.2 manual; the tcpdump
documentation for versions of tcpdump that were released along with
versions of libpcap that support pppoed/pppoes says:
pppoed True if the packet is a PPP-over-Ethernet
Discovery
packet (Ethernet type 0x8863).
pppoes True if the packet is a PPP-over-Ethernet
Session packet
(Ethernet type 0x8864). Note that the first
pppoes key-
word encountered in expression changes the
decoding off-
sets for the remainder of expression on the
assumption
that the packet is a PPPoE session packet.
For example:
pppoes && ip
filters IPv4 protocols encapsulated in PPPoE.
The WinPcap 4.1 beta4 documentation *also* doesn't document this; it
should probably be updated.
More information about the Winpcap-users
mailing list