[msher3@xxxxxxxxx]

Thanks alot,

Following your advice I could actually capture...

One question is still opened though-

Are the offsets of the internal fields of the packets(like *ipheader, *udp etc) also shifted comparing to those under standard packets?

Regards

I. Lesher

On Wed, Jun 2, 2010 at 10:01 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

If you're capturing traffic on an Ethernet interface, and some or all of that traffic is PPPoE (rather than, for example, capturing on a PPP device that happens to use PPPoE), to filter on the PPPoE content you have to do

       pppoes and {filter}

so that, for example, if you want all UDP PPPoE traffic, you need to say

       pppoes and udp

The pcap-filter man page in libpcap 1.0.0 and later (and the tcpdump man page for the pre-4.0 versions of tcpdump released at the same time as pre-1.0 versions of libpcap) says:

      pppoes True if the packet is a PPP-over-Ethernet Session packet (Ether-
             net  type  0x8864).   Note that the first pppoes keyword encoun-
             tered in _expression_ changes the decoding offsets for the remain-
             der  of  _expression_ on the assumption that the packet is a PPPoE
             session packet.

             For example:
                  pppoes && ip
             filters IPv4 protocols encapsulated in PPPoE.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe