Ethereal-users: Re: [Ethereal-users] ppp logging

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Juhani Siira <juhani_siira@xxxxxxxxx>
Date: Fri, 9 May 2003 17:36:50 -0700 (PDT)
Thanks, Guy.  Given that I want to verify/debug
everything including my ppp framing, pppdump is my
solution.  At some point, I may try to hook to the
windows serial driver (portmon style) and read the
stream in real time.

And if anyone else stumbles across this problem, see
the previous thread titled "Ethereal and PPP" for
Guy's complete description of the pppdump solution.


--- Guy Harris <gharris@xxxxxxxxx> wrote:
> On Wed, May 07, 2003 at 03:51:08PM -0700, Juhani
> Siira wrote:
> > I'm porting a ppp stack and would like to log the
> ppp
> > packets and view them to see the traffic from lcp
> up
> > to tcp.  I've looked at the ethereal files
> produced
> > using the win me PPP wan adapter, and it seems the
> > framing used to store ppp is actually a fake
> ethernet
> > frame instead of a PPP frame ie DLT_EN10MB instead
> of
> > DLT_PPP.
> 
> Yes, that's the way Windows handles PPP - the
> NDISWAN driver turns
> received PPP packets into fake Ethernet packets, and
> turns fake Ethernet
> packets sent by other stuff in the networking stack
> into PPP packets.
> 
> > Does ethereal understand PPP framing so that
> > I can simply dump the frames from my serial driver
> to
> > a file (with appropriate file format)?
> 
> Yes, although if you're doing raw serial stuff, you
> need to choose the
> appropriate file format.
> 
> pppdump format is probably best, if you're truly
> dumping *raw* serial
> data, i.e. what's going over the serial line.
> 
> I'm not sure where the pppdump format is documented,
> other than in the
> comments in "wiretap/pppdump.c", but check that file
> out.  Note that a
> "time_t" is a standard UNIX-style time_t, i.e.
> seconds since January 1,
> 1970, 00:00:00 GMT.  The "time step" items are for
> time stamps, and
> represent tenths of a second since the last time_t
> in a "Reset time"
> record; "send data" and "received data" records hold
> the actual serial
> data - use both of those, so Ethereal knows in which
> direction the data
> is going.  The numbers (time stamps, and byte
> counts) are big-endian,
> not little-endian (i.e., they're byte-swapped from
> the natural byte
> order on Windows).


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com