This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PPP compressed data not displayed uncompressed

0

I am connected via pptp vpn over an ethernet connection to a server. I need to analyze packets to and from the server for a certain application. The application packets on the vpn link are captured as "PPP - Compressed datagram". The payload packets are not uncompressed in the packet listing so I can not see the actual payload. Is there a setting or plugin that will uncompress the payloads so I can see the actual data?

sample packet below:

No.     Time           Source                Destination           Protocol Length Info
626 230.787803000  192.168.0.36          97.66.74.115          PPP Comp 204    Compressed data

Frame 626: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits) on interface 0 Ethernet II, Src: WistronI_a4:c4:4c (f0:de:f1:a4:c4:4c), Dst: SierraWi_ff:f0:af (00:a0:d5:ff:f0:af) Internet Protocol Version 4, Src: 192.168.0.36 (192.168.0.36), Dst: 97.66.74.115 (97.66.74.115) Generic Routing Encapsulation (PPP) Flags and Version: 0x3001 Protocol Type: PPP (0x880b) Key: 0x009e84fc Sequence Number: 4783 Point-to-Point Protocol Protocol: Compressed datagram (0x00fd) PPP Compressed Datagram

0000 00 a0 d5 ff f0 af f0 de f1 a4 c4 4c 08 00 45 00 ………..L..E. 0010 00 be 22 ad 00 00 80 2f 00 00 c0 a8 00 24 61 42 .."…./…..$aB 0020 4a 73 30 01 88 0b 00 9e 84 fc 00 00 12 af fd f2 Js0…………. 0030 9d 09 9b 88 20 d8 45 2d cb 97 ff 98 c6 6f 2f 33 …. .E-…..o/3 0040 6c 1b 2c 19 56 56 06 20 eb d4 2d 9b fb 92 f9 58 l.,.VV. ..-….X 0050 ad 99 dd f4 14 2d 44 0c 2b eb 62 1e 0b 6f 8f 08 …..-D.+.b..o.. 0060 d5 fd 1d 8b cc 42 84 d6 28 af 7f 60 f6 67 41 65 …..B..(..`.gAe 0070 7f 61 52 3f be 20 91 ed e6 55 14 9e c3 07 2c 8c .aR?. …U….,. 0080 0c c6 64 74 65 a9 01 70 c9 13 ab dd fd 0e 14 10 ..dte..p…….. 0090 f8 a2 22 43 2b 7a a7 df 7d ac 93 5e 3d 69 34 25 .."C+z..}..^=i4% 00a0 f3 ec c5 4e 73 fa 97 47 47 97 cb da d0 3c 90 39 …Ns..GG….<.9 00b0 a8 b4 38 7a 54 46 20 4c c3 d0 cf b6 ab a1 45 31 ..8zTF L……E1 00c0 19 47 e1 28 9f 5e f2 a7 91 ca 4b 52 .G.(.^….KR

asked 14 Feb ‘13, 08:09

jcasler's gravatar image

jcasler
11112
accept rate: 0%

edited 14 Feb ‘13, 13:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

Looking at the current (as of this writing) version of the PPP dissector, I see that this functionality is not yet implemented. (See dissect_comp_data at line 4310.) I suggest opening an enhancement bug request for it at the Wireshark bugzilla website.

answered 14 Feb '13, 09:00

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%