I've been playing with Ethereal over the past couple of days (only
discovered it a couple of days ago).
I'm trying to find a libpcap protocol where Ethereal recognizes the
direction, but no luck yet.
I know that converting pppdump format directly to libpcap format
(specifically using the PPP link layer) through Ethereal gets rid of the
direction bit, so I've made a perl script that converts the pppdump
output into a libpcap file masquerading as PPPoES under SLL (currently
_without_ the help of libpcap). But Ethereal still complains that the
direction is unknown (even though sent packets become "Sent by us" and
received packets become "Unicast to us" in the SLL header) when it
encounters VJ Compressed packets ("PPPoES VJ compressed TCP (direction
unknown)").
I guess I could evolve my perl script to understand the TCP/IP protocol
and the PPP protocol, instead of passing everything almost completely
unmodified to the PPPoES protocol. At the moment, it's basically a hack.
The first packet is a null packet at the moment.
Heres some (compressed) output from Ethereal to show what I mean about
Ethereal not understanding the direction with libpcap.
Frame 38 (28 bytes on wire, 28 bytes captured)
...
Linux cooked capture
Packet type: Sent by us (4)
...
Protocol: PPPoE Session (0x8864)
PPP-over-Ethernet Session
...
Point-to-Point Protocol
Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
Change mask: 0x0c
...
TCP checksum: 0x97a9
Ack delta: 10
Sequence delta: 140
Frame 39 (330 bytes on wire, 330 bytes captured)
...
Linux cooked capture
Packet type: Unicast to us (0)
...
Protocol: PPPoE Session (0x8864)
PPP-over-Ethernet Session
...
Point-to-Point Protocol
Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
Change mask: 0x3c
...
TCP checksum: 0xc3b3
Ack delta: 140
Sequence delta: 10
IP ID delta: 110
TCP payload
Compared to straight from the pppdump file:
Frame 37 (8 bytes on wire, 8 bytes captured)
...
Point-to-Point Direction: Sent (0)
Point-to-Point Protocol
Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
Change mask: 0x0c
...
TCP checksum: 0x97a9
Ack delta: 10
Sequence delta: 140
TCP payload
Internet Protocol, Src Addr: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst
Addr: xx.xx.xxx.xxx (xx.xx.xxx.xxx)
...
Transmission Control Protocol, Src Port: xxxxx (xxxxx), Dst Port: xxxx
(xxxx), Seq: 141, Ack: 11, Len: 2
...
Frame 38 (310 bytes on wire, 310 bytes captured)
...
Point-to-Point Direction: Received (1)
Point-to-Point Protocol
Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
Change mask: 0x3c
...
TCP checksum: 0xc3b3
Ack delta: 140
Sequence delta: 10
IP ID delta: 110
TCP payload
Internet Protocol, Src Addr: xx.xx.xxx.xxx (xx.xx.xxx.xxx), Dst Addr:
xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
...
Transmission Control Protocol, Src Port: xxxx (xxxx), Dst Port: xxxxx
(xxxxx), Seq: 11, Ack: 141, Len: 303
...