Coder Social home page Coder Social logo

Comments (5)

dev195 avatar dev195 commented on June 3, 2024

One thing you might want to try is setting the layer-2 decoder from the command line (Dshell defaults to ethernet.Ethernet). For example, you can try something along the lines of:

decode -d <your decoder> --layer2=ppp.PPP <your pcap>

That --layer2 argument works by setting the first dpkt module to use when decoding a raw packet. In that example, we're telling it to use the PPP class in the ppp (Point-to-Point Protocol) module.

I looked briefly at the dpkt source code for ppp.py, however, and noticed an unsettling # XXX - finish later in there, so I can't guarantee everything will work as planned.

I've never, personally, worked with that protocol before, so I don't have any pcap to test my recommendation out. Is there any possibility for you to share the pcap you're using? I understand if that's impossible, but it would help us figure out a solution if the problem persists.

Let us know if that doesn't help, and we can dig further to figure something out for you.

from dshell.

biatwc avatar biatwc commented on June 3, 2024

Here is an sample pcap with pppoe layer.
sample.cap.zip

I've tried the --layer2=ppp.PPP with no success.

from dshell.

traviswparker avatar traviswparker commented on June 3, 2024

The --strip=n option is designed to remove extra Layer 2 headers before the IP header. In the case of PPPoE we have Ethernet( PPPoE( PPP( IP(...) ) ) ). Dshell's IP decoder expects Layer2( IP(...) ) so we need to remove 2 layers with --strip=2

The other gotcha is the default BPF filter for the DNS decoder is (udp and port 53). This won't work with PPPoE encapsulated traffic, so you need to disable the filter with --bpf=''

Dshell> decode -d dns --strip=2 --bpf='' ~/sample.cap.zip
Enter password for .zip file [default:none]:
dns 2016-04-01 04:18:13          8.8.8.8:53    --    192.168.42.72:53268 ** 49176 A? fpdownload.macromedia.com / CNAME: san-download.adobe.com.edgekey.net, CNAME: e4937.d.akamaiedge.net, A: 104.82.135.83 (ttl 19s) **

from dshell.

biatwc avatar biatwc commented on June 3, 2024

Thanks for that, strangely I get different output using the same capture file, see below:

~/Dshell Dshell> decode -d dns --strip=2 --bpf='' sample.cap WARNING:dns:local variable 'smac' referenced before assignment WARNING:dns:local variable 'smac' referenced before assignment

from dshell.

traviswparker avatar traviswparker commented on June 3, 2024

1744f7a fixes that. Grab the latest master branch.

from dshell.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.