user/4624: tcpdump chops off part of the ipv4 header on pppoe interface

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

user/4624: tcpdump chops off part of the ipv4 header on pppoe interface

Peter J. Philipp
>Number:         4624
>Category:       user
>Synopsis:       data is missing on a tcpdump on pppoe
>Confidential:   yes
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 17 18:00:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Peter Philipp
>Release:        
>Organization:
net
>Environment:
       
        System      : OpenBSD 3.8
        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:

# tcpdump -n -i pppoe0 -X -s 1500 -e port 53
       
18:44:16.182025 PPPoE
        code Session, version 1, type 1, id 0x0580, length 62
        IP: 85.75.50.82.46277 > 194.97.173.124.53:  22618+ A? ftp.netbsd.org. (32)
  0000: c628 0000 4011 bd0d 554b 3252 c261 ad7c  F(..@.=.UK2RBa-|
  0010: b4c5 0035 0028 7928 585a 0100 0001 0000  4E.5.(y(XZ......
  0020: 0000 0000 0366 7470 066e 6574 6273 6403  .....ftp.netbsd.
  0030: 6f72 6700 0001 0001                      org.....

As you can see the packet does not start with the usual 0x45, that's because
it chopped 4 bytes off from the top of the packet.

>How-To-Repeat:
        Use tcpdump on a pppoe interface
>Fix:
        swamped with work, sorry no fix.


>Release-Note:
>Audit-Trail:
>Unformatted:

Reply | Threaded
Open this post in threaded view
|

Re: user/4624: tcpdump chops off part of the ipv4 header on pppoe interface

Can Erkin Acar
The following reply was made to PR user/4624; it has been noted by GNATS.

From: Can Erkin Acar <[hidden email]>
To: [hidden email]
Cc: [hidden email]
Subject: Re: user/4624: tcpdump chops off part of the ipv4 header on pppoe interface
Date: Thu, 17 Nov 2005 21:28:27 +0200

 On Thu, Nov 17, 2005 at 06:47:56PM +0100, [hidden email] wrote:
 > >Number:         4624
 > >Category:       user
 > >Synopsis:       data is missing on a tcpdump on pppoe
 > >Confidential:   yes
 [snip]
 > >Description:
 >
 > # tcpdump -n -i pppoe0 -X -s 1500 -e port 53
 >
 > 18:44:16.182025 PPPoE
 >         code Session, version 1, type 1, id 0x0580, length 62
 >         IP: 85.75.50.82.46277 > 194.97.173.124.53:  22618+ A? ftp.netbsd.org. (32)
 >   0000: c628 0000 4011 bd0d 554b 3252 c261 ad7c  F(..@.=.UK2RBa-|
 >   0010: b4c5 0035 0028 7928 585a 0100 0001 0000  4E.5.(y(XZ......
 >   0020: 0000 0000 0366 7470 066e 6574 6273 6403  .....ftp.netbsd.
 >   0030: 6f72 6700 0001 0001                      org.....
 >
 > As you can see the packet does not start with the usual 0x45, that's because
 > it chopped 4 bytes off from the top of the packet.
 
 Can you try this diff?
 
 
 Index: print-ppp.c
 ===================================================================
 RCS file: /cvs/src/usr.sbin/tcpdump/print-ppp.c,v
 retrieving revision 1.16
 diff -u -p -c -r1.16 print-ppp.c
 cvs diff: conflicting specifications of output style
 --- print-ppp.c 8 Oct 2005 19:45:15 -0000 1.16
 +++ print-ppp.c 17 Nov 2005 18:55:51 -0000
 @@ -673,9 +673,7 @@
  printf("\n\t%04x: ", proto);
 
  if (xflag)
 -    default_print((const u_char *)
 - (p + sizeof(struct pppoe_header)),
 - caplen - sizeof(struct pppoe_header));
 +    default_print(p, caplen);
  putchar('\n');
  }

Reply | Threaded
Open this post in threaded view
|

Re: user/4624: tcpdump chops off part of the ipv4 header on pppoe interface

Peter J. Philipp
In reply to this post by Peter J. Philipp
The following reply was made to PR user/4624; it has been noted by GNATS.

From: Peter Philipp <[hidden email]>
To: Can Erkin Acar <[hidden email]>
Cc: [hidden email]
Subject: Re: user/4624: tcpdump chops off part of the ipv4 header on pppoe interface
Date: Fri, 18 Nov 2005 12:25:04 +0100

 > Can you try this diff?
 >
 >
 > Index: print-ppp.c
 > ===================================================================
 > RCS file: /cvs/src/usr.sbin/tcpdump/print-ppp.c,v
 > retrieving revision 1.16
 > diff -u -p -c -r1.16 print-ppp.c
 > cvs diff: conflicting specifications of output style
 > --- print-ppp.c 8 Oct 2005 19:45:15 -0000 1.16
 > +++ print-ppp.c 17 Nov 2005 18:55:51 -0000
 > @@ -673,9 +673,7 @@
 >   printf("\n\t%04x: ", proto);
 >  
 >   if (xflag)
 > -    default_print((const u_char *)
 > - (p + sizeof(struct pppoe_header)),
 > - caplen - sizeof(struct pppoe_header));
 > +    default_print(p, caplen);
 >   putchar('\n');
 >  }
 
 Hi,
 
 I did try the diff and this is what I get:
 
 # tcpdump -v -n -i pppoe0 -X -s 1500 port 53
 ...
 12:03:15.057336 194.97.173.124.53 > 85.75.7.46.18241:  [udp sum ok] 4477 1/0/0 ftp.netbsd.org. A 204.152.190.13 (48) (DF) (ttl 62, id 7830, len 76)
   0000: 0021 4500 004c 1e96 4000 3e11 51b4 c261  .!E..L..@.>.Q4Ba
 
 there is a 16 bit header I tracked this down in RFC1661
 (Page 4, 2. PPP Encapsulation) which refers to the Assigned numbers for the
 protocol which I then tracked down to RFC 1700 page 200 which specifies
 that the 0x0021 is the Datalink Layer Protocol number for
 the Internet Protocol:
 
 ---
 Assigned PPP DLL Protocol Numbers
 
 Value (in hex)  Protocol Name
 
 ...
 0021            Internet Protocol
 ---
 
 Can we chop this header somehow and put it into the datalink (-e flag)?
 
 Regards,
 
 -peter