tcpdump and snort cannot filter PPPoE packets

Hi, everyone. This is my first thread

There is a trouble when i capture PPPoE packets with tcpdump or snort.

i want to capture PPPoE packets in my network.
my network is following:

<ISP>
|
Repeater HUB ------ Router ------- <Local Network>
|
-------------------- Sniffer(Linux)

i can capture PPPoE packets with tcpdump and snort.
i did the following commands:
# tcpdump -i eth1 -nt
# snort -dev

But, i cannot filter PPPoE packets. i did the following commands:
# tcpdump -i eth1 -nt host not port 22
# snort -dev not port 22
i assume tcpdump and snort analyze PPPoE packets, so maybe
patches apply tcpdump and snort to analyze PPPoE packets.

Is my idea correct? Does someone know those patches if my idea
is correct?

---------------
Appendix: version information
tcpdump version 3.8.3
libpcap version 0.8.3
snort-2.2.0
---------------

Hi, welcome to linuxquestions!

Maybe try 'tcpdump proto not tcp'.

The problem is when you type 'port not 22' it automatically assumes 'proto (tcp or udp) and port not 22'. And IIRC, pppoe does not run over TCP or UDP in the transport-layer, so pppoe packets won't survive this filter.

I'm not sure on this, you'll have to give it a try.

regards
nukkel

nukkel, thank you for your reply

>Maybe try 'tcpdump proto not tcp'.
>
>The problem is when you type 'port not 22' it automatically assumes 'proto (tcp or udp) and >port not 22'. And IIRC, pppoe does not run over TCP or UDP in the transport-layer, so pppoe >packets won't survive this filter.

'tcpdump proto not tcp' did, but syntax error is happpened.

i re-read man manual for tcpdump, and the following command did.
# tcpdump -i eth0 ppp
tcpdump: link layer applied in wrong context

Maybe, tcpdump doesnt support layer 2 protocol.
i found the information related to my problem.
Based to the information, tcpdump needs patch to analyze layer 2 protocol.
http://www.tcpdump.org/lists/workers.../msg00058.html

Oh sorry, that was supposed to be 'tcpdump not tcp'

Thanks tcpdump information, nukkel

How about PPPoE packets with snort?
Do u have any information that snort analyzes PPPoE packets?

I have never used snort, sorry. I cannot tell you.

The "Ethereal" program claims to be able to capture pppoe:

http://www.ethereal.com/introduction.html#features

However, it also uses the libpcap library, I think, so it may be you run into the same problem here.

Best of luck,
nukkel

Thanks, nukkel

It is difficult that snort analyzes PPPoE packets
i wonder that network diagram will be changed to capure Ethernet packets for snort and tcpdump.

i was very glad nukkel to advise me anything information
Thanks!!

No problem kaito!

Quote:

Originally Posted by kaito Hi, everyone. This is my first thread There is a trouble when i capture PPPoE packets with tcpdump or snort. i want to capture PPPoE packets in my network. my network is following: <ISP> | Repeater HUB ------ Router ------- <Local Network> | -------------------- Sniffer(Linux) i can capture PPPoE packets with tcpdump and snort. i did the following commands: # tcpdump -i eth1 -nt # snort -dev But, i cannot filter PPPoE packets. i did the following commands: # tcpdump -i eth1 -nt host not port 22 # snort -dev not port 22 i assume tcpdump and snort analyze PPPoE packets, so maybe patches apply tcpdump and snort to analyze PPPoE packets. Is my idea correct? Does someone know those patches if my idea is correct? --------------- Appendix: version information tcpdump version 3.8.3 libpcap version 0.8.3 snort-2.2.0 ---------------

I know this question is half a decade old, but it's first in google if you search on tcpdump pppoe, so I figured I'd post some info here. I was having the same problem with the same version of tcpdump. It turns out there's an easy solution.

tcpdump -i eth1 ether[0x0c:2] == 0x8863 or ether[0x0c:2] == 0x8864

Will show you PPPoE packets. 8863 is the ether type for Active Discovery and 8864 is the ether type for PPPoE sessions.

Jason M.