[tcpdump-workers] Multiple Needles in Multiple Haystacks.

Zaphod Beeblebrox zbeeble at gmail.com
Thu Nov 17 10:29:13 EST 2016

So... I have some malfunctioning L2TP servers.  Not your problem.  I
would like to get a packet dump of just L2TP control packets + L2TP
packets containing PPP packets of LCP, IPCP, IP6CP and PAP.  I would
also (less important) like to filter out LCP echo/reply.  This is why
I'm writing to this list.  I can capture _all_ the packets and get
wireshark to trim it down, but the problem I have with that is the
firehose it represents.

Fundamental to my problem is filtering the PPP inside L2TP.  Making this
complex, the L2TP speakers I'm dealing with don't deliver at the same
offsets.  I'm attaching a small pcap file that has the packets I want to
accept for reference.

Something like "ppp[0:2] == 0x8021" should pull out the IPCP.  Or is
that ppp[2:2] ... but neither works.  Some other reading that's hard to
find would suggest something like "protochain l2tp and ppp proto 0x8021"
... but that doesn't work either.  I realize that one of ppp[2:2] or
ppp[0:2] is going to be equivalent to ppp proto 0x8021, but the part
that's not working is relating to the function of protochain.


If you're Canadian (I see this list is associated with someone on
Ottawa) I can offer 3 months of free DSL... or a whole year if you
materially help me fix MPD on FreeBSD.  I'm a fully open-source ISP ...


More information about the tcpdump-workers mailing list