1

My ISP provides PPPOE based dialer where client dials using dialer. After authentication (PAP) computer is connected to internet.

When I try to view packets in wireshrk using filter "eth.dst == my_pppoe_access_concentrator_mac_address" . I don't see any packets.

Interesting thing is, I only see packets sent by my NIC to access concentrator (server).Why?

Why wireshark is not able to get packets sent by others to AC?

Rahul
  • 111
  • 1
  • 2
  • Where are you running wireshark? On your equipment you should see only the traffic between your ppp endpoint and the modem, and possibly any discovery traffic being broadcasted (I think this is unlikely). Also if If you want to see bidirectional traffic use `eth.addr == `, else you need to capture both `eth.src` and `eth.dst` with the same MAC. It might also be easier to just capture PPPoE frames as suggested by timmeyh. – Thomas Guyot-Sionnest Nov 03 '21 at 18:11

2 Answers2

3

Ok so normally when I try to capture PPP traffic (to see if everything is ok PADI / PADO / PADR / PADS ) you use the following filter in wireshark:

(eth.type == 0x8863 or eth.type == 0x8864)

In tcpdump it would be:

tcpdump ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864

This will "normally" result if the mac address of the AC in the PADO and the PADS message.

If this doesn't work or shows up as you say it is then please answer the following questions:

  • Where is your trace captured (linux interface / tapping point in network / ...) ?

  • What is your end-goal to achieve? As I don't see any issues as authentication is successfull so why the need to troubleshoot?

  • Do you see your authenticate-ack (pap-code 2) from your ISP?

  • Is there any reason to assume the PPPOE based dialer has a custom PPPOE protocol implementation?

timmeyh
  • 968
  • 1
  • 6
  • 25
  • Also if you're only interested in control packets, you can filter out any non-zero CODE field (from a quick glance all control packets have CODE set to some value). Ex: `tcpdump 'ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864 and ether[0x0f] != 0'`. Since I've only seen session packets with a 0-code, this can even be simplified to: `tcpdump 'ether[0x0c:2] == 0x8864 and ether[0x0f] != 0 or ether[0x0c:2] == 0x8863'`. Both leads to very simple filter code and run fine on my _arm_cortex-a9_vfpv3_ router even with heavy traffic. This will show all packets except those containing session data. – Thomas Guyot-Sionnest Nov 03 '21 at 18:01
  • Scratching a bit more the PPP protocol, the protocol field of session packets has its own 16-bit assignment, and all link-control protocols have the `0x8000` bit set (anything above 0x00FF should be fairly low traffic anyway...) therefore this will get you all control traffic incl. LCP and the like: `tcpdump 'ether[0x0c:2] == 0x8864 and (ether[0x0f] != 0 or ether[0x14] & 0x80 == 128) or ether[0x0c:2] == 0x8863'`. To be even more greedy, match anything with byte `0x14` set (the higher-byte of the 16-bit protocol field): `ether[0x14] != 0`. – Thomas Guyot-Sionnest Nov 03 '21 at 19:00
0

Have a look here for an explanation for different OS's: PPP capture setup

I assume you are using Linux, here's the relevant portion:

Linux

On Linux, you won't be able to capture PPP control protocol traffic in the usual manner (via libpcap) as that traffic is not supplied to the networking stack. You will be able to capture IP traffic, for example, but you won't be able to see the PPP headers, as the PPP code doesn't supply them to the networking stack.

The PPP control protocol traffic can be captured by configuring the ppp daemon to 'record' to a capture file all the data the daemon sends and receives. Wireshark can then be used to display the created capture file.

On Fedora Core 6 the pppd capture file is created if 'record filename-of-your-choice' is added as a line in /etc/ppp/options (YMMV: see 'man pppd').

Note that all traffic on the PPP port is captured to the file so this option, if left on, may cause a large capture file to be generated.

MichelZ
  • 11,068
  • 4
  • 32
  • 59
  • does it capture other requests in my LAN? I checked it does not..how can i capture other requests to AC? – Rahul Jul 26 '12 at 17:02
  • What do you mean by "other requests in your LAN"? You cannot just grab foreign packets in a (switched) LAN. – MichelZ Jul 27 '12 at 06:13
  • 1
    That's not correct, I am ABLE to see pppoe frames. The point is to capture on the UNDERLYING ethernet device, not on the ppp device. – Tomek Jul 24 '19 at 17:09