This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

pppoe architecture tracing

0

I have a dsl modem connected directly to my PC. I want to trace few details of the packets passing through my PC with the help of Wireshark. Using Capture-->Interfaces I can see the only card with the IP = 10.0.0.1(probably because its a pppoe connection). Can someone direct me where exactly this address should be found in the packet(I guise somewher in the lower levels of the protocol stack)?

Thanks in advance

I. Lesher

asked 23 Jul '12, 22:37

triplebit's gravatar image

triplebit
1777
accept rate: 0%

One Answer:

0

If it's really PPPoE you should see this packet structure:

Frame -> Ethernet -> PPP-over-Ethernet -> Point-to-Point Protocol -> IP -> TCP/UDP/ICMP/etc.

The address you mentioned would be in the IP layer in the field "Source:".

As you usually get a internet routeable address from your provider with PPPoE (not sure about all regions of the world), this could also be a PPPoA connection, due to your IP address (10.0.0.1). The default IP address of a lot PPPoA modems is 10.0.0.138 and the Modem hands out IP addresses in that IP range (DHCP).

http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_ATM

PPPoA would look totally different in Wireshark. Look for the IP layer directly and then for the Source field.

Regards
Kurt

answered 24 Jul '12, 01:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 24 Jul '12, 01:31

Thnaks Kurt I followed carefully your answer and saw that the structure is exactly how you wrote, i.e Frame -> Ethernet -> PPP-over-Ethernet -> Point-to-Point Protocol -> IP -> TCP/UDP/ICMP/etc. but the address "10.0.0.1" is not in the IP protocol. Instead the IP layer contains the routable addresses of the source and the destination.here is a paste from the Wireshark of an ip layer of a single packet: "Internet Protocol, Src: 85.250.119.39 (85.250.119.39), Dst: 212.235.98.161 (212.235.98.161)" Can you further advise please? Regards I. Lesher

(24 Jul '12, 04:03) triplebit

85.250.119.39

O.K. so you do get a "internet routeable" address from your provider, as expected from PPPoE.

We just need to figure out, why Wireshark shows 10.0.0.1 in the interface list.

What is the output of the following commands:

ipconfig /all
dumpcap -D -M

dumpcap is in the Wireshark install directory.

(24 Jul '12, 04:29) Kurt Knochner ♦

Thanks Kurt Here is the respond for dumpcap -D -M

 1. \Device\NPF_{7A460928-A487-4219-BEC1-32E09C8B2CEA}  Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller(NDIS6.20)    10.0.0.1    network

Here is the respond for ipconfig /all Actually I cut the answer since it continues with a list of Tunnel adapters which I beleive don't contribute here. Regards I. Lesher

Windows IP Configuration

Host Name . . . . . . . . . . . . : kobi-PC
Primary Dns Suffix  . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No


PPP adapter ‡‰…˜ ”‘ ˜‡:


Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : ‡‰…˜ ”‘ ˜‡
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 85.250.119.39(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 194.90.1.5
212.143.212.143
NetBIOS over Tcpip. . . . . . . . : Disabled


Ethernet adapter Local Area Connection:


Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller(NDIS6.20)
Physical Address. . . . . . . . . : E0-CB-4E-D3-5C-F1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::550c:2c41:4fe3:ec1c%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : ‰…™‰™‰ 20 ‰…Œ‰ 2012 18:47:09
Lease Expires . . . . . . . . . . : ‰…‡Ž‰™‰ 26 ‰…Œ‰ 2012 11:47:19
Default Gateway . . . . . . . . . : 10.0.0.138
DHCP Server . . . . . . . . . . . : 10.0.0.138
DHCPv6 IAID . . . . . . . . . . . : 249613134
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-D4-C3-6A-E0-CB-4E-D3-5C-F1
DNS Servers . . . . . . . . . . . : 10.0.0.138
10.0.0.138
NetBIOS over Tcpip. . . . . . . . : Enabled


Tunnel adapter Local Area Connection* 23:


Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #16
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:55fa:7727::55fa:7727(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : 194.90.1.5
212.143.212.143
NetBIOS over Tcpip. . . . . . . . : Disabled
(26 Jul ‘12, 01:21) triplebit

The interface with your “external” IP address is a ppp adapter. You cannot sniff on those adapters on systems >= Win XP.

Can I use WinPcap on a PPP connection?
http://www.winpcap.org/misc/faq.htm#Q-5

I guess that's the reason why WinPcap does not show the ppp interface.

(31 Jul '12, 01:57) Kurt Knochner ♦