[tcpdump-workers] Multiple Needles in Multiple Haystacks.
Guy Harris
guy at alum.mit.edu
Thu Nov 17 19:43:44 EST 2016
On Nov 17, 2016, at 7:29 AM, Zaphod Beeblebrox <zbeeble at gmail.com> wrote:
> Fundamental to my problem is filtering the PPP inside L2TP. Making this
> complex, the L2TP speakers I'm dealing with don't deliver at the same
> offsets.
...and libpcap's filter-to-BPF compiler doesn't have a "check for L2TP and, if you find it, make all filter tests after the match test the packet *inside* the L2TP packet" expression, the way it has for PPPoE, for example.
I'll see if I can spend some time looking at that.
> Something like "ppp[0:2] == 0x8021" should pull out the IPCP. Or is
> that ppp[2:2] ... but neither works. Some other reading that's hard to
> find would suggest something like "protochain l2tp and ppp proto 0x8021"
> ... but that doesn't work either.
That's because "protochain" only works for IPv4 and IPv6.
More information about the tcpdump-workers
mailing list