tcpdump and snort cannot filter PPPoE packets
Hi, everyone. This is my first thread:)
There is a trouble when i capture PPPoE packets with tcpdump or snort. i want to capture PPPoE packets in my network. my network is following: <ISP> | Repeater HUB ------ Router ------- <Local Network> | -------------------- Sniffer(Linux) i can capture PPPoE packets with tcpdump and snort. i did the following commands: # tcpdump -i eth1 -nt # snort -dev But, i cannot filter PPPoE packets:(. i did the following commands: # tcpdump -i eth1 -nt host not port 22 # snort -dev not port 22 i assume tcpdump and snort analyze PPPoE packets, so maybe patches apply tcpdump and snort to analyze PPPoE packets. Is my idea correct? Does someone know those patches if my idea is correct? --------------- Appendix: version information tcpdump version 3.8.3 libpcap version 0.8.3 snort-2.2.0 --------------- |
Hi, welcome to linuxquestions! ;)
Maybe try 'tcpdump proto not tcp'. The problem is when you type 'port not 22' it automatically assumes 'proto (tcp or udp) and port not 22'. And IIRC, pppoe does not run over TCP or UDP in the transport-layer, so pppoe packets won't survive this filter. I'm not sure on this, you'll have to give it a try. regards nukkel |
nukkel, thank you for your reply:)
>Maybe try 'tcpdump proto not tcp'. > >The problem is when you type 'port not 22' it automatically assumes 'proto (tcp or udp) and >port not 22'. And IIRC, pppoe does not run over TCP or UDP in the transport-layer, so pppoe >packets won't survive this filter. 'tcpdump proto not tcp' did, but syntax error is happpened. i re-read man manual for tcpdump, and the following command did. # tcpdump -i eth0 ppp tcpdump: link layer applied in wrong context Maybe, tcpdump doesnt support layer 2 protocol. i found the information related to my problem. Based to the information, tcpdump needs patch to analyze layer 2 protocol. http://www.tcpdump.org/lists/workers.../msg00058.html |
Oh sorry, that was supposed to be 'tcpdump not tcp' :scratch:
|
Thanks tcpdump information, nukkel;)
How about PPPoE packets with snort? Do u have any information that snort analyzes PPPoE packets? |
I have never used snort, sorry. I cannot tell you. :(
The "Ethereal" program claims to be able to capture pppoe: http://www.ethereal.com/introduction.html#features However, it also uses the libpcap library, I think, so it may be you run into the same problem here. Best of luck, nukkel |
Thanks, nukkel :)
It is difficult that snort analyzes PPPoE packets:( i wonder that network diagram will be changed to capure Ethernet packets for snort and tcpdump. i was very glad nukkel to advise me anything information;) Thanks!! |
No problem kaito!
|
Quote:
tcpdump -i eth1 ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864 Will show you PPPoE packets. 8863 is the ether type for Active Discovery and 8864 is the ether type for PPPoE sessions. Jason M. |
All times are GMT -5. The time now is 09:54 PM. |