On Fri, Mar 12, 2004 at 04:47:23AM +0100, Rudolf Zarits (privat) wrote:
> I´m new in the list and hope to find here some
> clarification :
>
> I´m using ethereal on Linux and Windows -
> Following Configuration:
>
> - Windows XP
> - winpcap 2.3
I assume that, in this case, you're using it on Linux.
> after the laptop has "its" IP address assigned, I expected
> the traffic to be "IP over PPP", which means that a PPP header
> should be present -
> but what I see is plain IP - without any PPP header!?!?!?
...but with an Ethernet header, if frame 24:
> Frame 24 (342 bytes on wire, 342 bytes captured)
> Ethernet II, Src: 00:00:02:00:00:00, Dst: 02:65:20:00:02:00
> Internet Protocol, Src Addr: 80.187.67.202 (80.187.67.202), Dst Addr:
> 255.255.255.255 (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
> Bootstrap Protocol
is a sample frame, as per
> <comment: just plain IP (no PPP header) like frame 24 for the whole
> transfer!>
If that's what you're really seeing - i.e., packets with an Ethernet
header and then IP, rather than packets with *no* header in front of the
IP packet - then...
> How is that possible?
> Is the PPP header removed before tcpdump captures the packets,
...no, it's replaced by a fake Ethernet header. On Windows, Microsoft's
NDISWAN code is what various PPP drivers plug into; it translates PPP
packets to fake Ethernet packets and supplies them to the same part of
the networking stack that handles LAN interfaces. That part of the
networking stack is the part into which the WinPcap driver plugs, so it
sees the packets with a fake Ethernet header rather than a PPP header.