On Wed, May 07, 2003 at 03:51:08PM -0700, Juhani Siira wrote:
> I'm porting a ppp stack and would like to log the ppp
> packets and view them to see the traffic from lcp up
> to tcp. I've looked at the ethereal files produced
> using the win me PPP wan adapter, and it seems the
> framing used to store ppp is actually a fake ethernet
> frame instead of a PPP frame ie DLT_EN10MB instead of
> DLT_PPP.
Yes, that's the way Windows handles PPP - the NDISWAN driver turns
received PPP packets into fake Ethernet packets, and turns fake Ethernet
packets sent by other stuff in the networking stack into PPP packets.
> Does ethereal understand PPP framing so that
> I can simply dump the frames from my serial driver to
> a file (with appropriate file format)?
Yes, although if you're doing raw serial stuff, you need to choose the
appropriate file format.
pppdump format is probably best, if you're truly dumping *raw* serial
data, i.e. what's going over the serial line.
I'm not sure where the pppdump format is documented, other than in the
comments in "wiretap/pppdump.c", but check that file out. Note that a
"time_t" is a standard UNIX-style time_t, i.e. seconds since January 1,
1970, 00:00:00 GMT. The "time step" items are for time stamps, and
represent tenths of a second since the last time_t in a "Reset time"
record; "send data" and "received data" records hold the actual serial
data - use both of those, so Ethereal knows in which direction the data
is going. The numbers (time stamps, and byte counts) are big-endian,
not little-endian (i.e., they're byte-swapped from the natural byte
order on Windows).