Wireshark-users: [Wireshark-users] decoding packet data payload?

From: Malcolm Herbert <mjch@xxxxxxxx>
Date: Sun, 4 May 2008 20:05:23 +1000
I have a captured PPP session inside a TCP stream created by userppp
with a TCP connection being used as the PPP transport instead of the
serial port[1].

I have the entire TCP packet capture and can see the complete HDLC-like
PPP frames inside the TCP data payload - I'd like wireshark to 
interpret this for me as I'm interested in seeing PPP at work.

Ultimately I'd like to get at the TCP data running inside that as well,
but this is less important at the moment.

This sounds like it should be a simple thing to achieve ... except that
I haven't yet found any references to doing this in the FAQ or from
elsewhere on the web.  How would I go about it?

I had thought wireshark would support this behaviour by default as      
there are many cases where protocols encapsulate others - IPIP or IPSec 
over TCP come to mind here ...                                                        

Alternately, since I'm wanting to look at PPP, would it be better to
capture the PPP session directly from a serial link somehow? 

To my mind, capturing the session with wireshark or tcpdump when TCP 
was the transport was the way to go, but if I can't get at the data 
inside the TCP payload then there's not a lot of point ... :)


[1] this is not the same thing as PPPoE as far as I understand it ... 

Malcolm Herbert                                This brain intentionally
mjch@xxxxxxxx                                                left blank