Wireshark-users: Re: [Wireshark-users] How to decode nested l2tp traffic?

From: Patrick Klos <patrick@xxxxxxxx>
Date: Thu, 22 May 2014 14:13:04 -0400
Joan wrote:
I am trying to extract the data transmitted into a l2tp tunnel, I am running thsark/tcpdump in the tunnel terminator. What I am using so far is this (4291 is the tunnel number): tcpdump -n -i eth3.800 "udp port 1701 && udp[8:2] & 0x80ff == 0x0002 && udp[10:2] == 4291" I took the filter line from here http://networkingbodges.blogspot.com.es/2012/11/tshark-one-liners.html
The problem is that I would like to inspect the traffic inside the 
tunnel, but I could'nt find a reference on this.
Any clues?
Can you share a pcap file?  I could run it through PacketView (which 
de-tunnels L2TP) and see if it helps??
Patrick Klos
Klos Technologies, Inc.