This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am connected via pptp vpn over an ethernet connection to a server. I need to analyze packets to and from the server for a certain application. The application packets on the vpn link are captured as "PPP - Compressed datagram". The payload packets are not uncompressed in the packet listing so I can not see the actual payload. Is there a setting or plugin that will uncompress the payloads so I can see the actual data?

sample packet below:

No.     Time           Source                Destination           Protocol Length Info
626 230.787803000  192.168.0.36          97.66.74.115          PPP Comp 204    Compressed data

Frame 626: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits) on interface 0
Ethernet II, Src: WistronI_a4:c4:4c (f0:de:f1:a4:c4:4c), Dst: SierraWi_ff:f0:af (00:a0:d5:ff:f0:af)
Internet Protocol Version 4, Src: 192.168.0.36 (192.168.0.36), Dst: 97.66.74.115 (97.66.74.115)
Generic Routing Encapsulation (PPP)
    Flags and Version: 0x3001
    Protocol Type: PPP (0x880b)
    Key: 0x009e84fc
    Sequence Number: 4783
Point-to-Point Protocol
    Protocol: Compressed datagram (0x00fd)
PPP Compressed Datagram

0000  00 a0 d5 ff f0 af f0 de f1 a4 c4 4c 08 00 45 00   ...........L..E.
0010  00 be 22 ad 00 00 80 2f 00 00 c0 a8 00 24 61 42   .."..../.....$aB
0020  4a 73 30 01 88 0b 00 9e 84 fc 00 00 12 af fd f2   Js0.............
0030  9d 09 9b 88 20 d8 45 2d cb 97 ff 98 c6 6f 2f 33   .... .E-.....o/3
0040  6c 1b 2c 19 56 56 06 20 eb d4 2d 9b fb 92 f9 58   l.,.VV. ..-....X
0050  ad 99 dd f4 14 2d 44 0c 2b eb 62 1e 0b 6f 8f 08   .....-D.+.b..o..
0060  d5 fd 1d 8b cc 42 84 d6 28 af 7f 60 f6 67 41 65   .....B..(..`.gAe
0070  7f 61 52 3f be 20 91 ed e6 55 14 9e c3 07 2c 8c   .aR?. ...U....,.
0080  0c c6 64 74 65 a9 01 70 c9 13 ab dd fd 0e 14 10   ..dte..p........
0090  f8 a2 22 43 2b 7a a7 df 7d ac 93 5e 3d 69 34 25   .."C+z..}..^=i4%
00a0  f3 ec c5 4e 73 fa 97 47 47 97 cb da d0 3c 90 39   ...Ns..GG....<.9
00b0  a8 b4 38 7a 54 46 20 4c c3 d0 cf b6 ab a1 45 31   ..8zTF L......E1
00c0  19 47 e1 28 9f 5e f2 a7 91 ca 4b 52               .G.(.^....KR

asked 14 Feb '13, 08:09

jcasler's gravatar image

jcasler
11112
accept rate: 0%

edited 14 Feb '13, 13:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


Looking at the current (as of this writing) version of the PPP dissector, I see that this functionality is not yet implemented. (See dissect_comp_data at line 4310.) I suggest opening an enhancement bug request for it at the Wireshark bugzilla website.

permanent link

answered 14 Feb '13, 09:00

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×18
×6

question asked: 14 Feb '13, 08:09

question was seen: 5,426 times

last updated: 14 Feb '13, 13:55

p​o​w​e​r​e​d by O​S​Q​A