This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to set capture-filter for l2tp control packets

0

Hello

I'm newbie to Wireshark, not sure if it's known question or issue. I use "l2tp.sid==0" to set display-filter to filter l2tp control packets and work well. but it was failed to work w/ capture-filter w/ syntax error. Could anybody to let me know if it's possible to set such capture-filter and how if the answer is yes, thanks in advance!

asked 13 Feb '14, 21:39

guyin's gravatar image

guyin
1222
accept rate: 0%

edited 10 Sep '16, 12:14

sindy's gravatar image

sindy
6.0k4851

One Answer:

0

Actually L2TP control messages are identified by the control flag in the L2TP header.

Display filter for control messages

l2tp.type == 1

The same in capture filter syntax (highest bit in the first byte of the UDP payload is the control flag)

udp[8]>>7=1
tcpdump -ni eth0 'udp[8]>>7=1'

If you want to filter for the SID, the following capture filter will work

tcpdump -ni eth0 'udp[14:2]=0'

HINT: there can be control messages with a SID != 0, so if you only filter for the SID, you might miss some control messages.

You can obviously also combine the two

tcpdump -ni eth0 'udp[8]>>7=1 and udp[14:2]=0'

which will filter for frames with the control flag set and SID == 0.

++ UPDATE ++

For L2TPv3 directly at the IP level (see your comment about DOCSIS), the whole thing works like this:

According to your screenshot, you can identify L2TPv3 frames in the IP frame with

ip[9]=115

and then you can use the same filters I mentioned above, just adjusted to the new location in the IP frame. The 'limitations' regarding the control message flag and the SID are the same.

So, the full filter would be

tcpdump -ni eth0 'ip[9]=115 and ip[24]>>7=1'

or with the SID

tcpdump -ni eth0 'ip[9]=115 and ip[24]>>7=1 and ip[20:4]=0'

I'm not sure regarding the SID (ip[20:4] or ip[20:2] ip[22:2]), as I can't determine that from the screenshot. I guess it's ip[20:4].

According to the capture files at bugs.wireshark.org, it is ip[20:4] for the SID (display field: l2tp.sid).

Hint: This will only work, if there are no additional IP options. If there are, you need to adjust the offset in the IP frame according to the IP options length.

Regards
Kurt

answered 14 Feb '14, 02:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Feb '14, 05:20

Hi, Kurt

Thanks for your info. Actually my case is to capture DOCSIS DEPI control packets whihch is L2TPv3 over IP. since there is no UDP and also can't use type flag but control session id to identify the control packets. How can I revise the filters you offered in such case?

(15 Feb '14, 08:38) guyin

can you post a small sample capture file somewhere (google drive, dropbox, cloudshark.org)?

(15 Feb '14, 10:51) Kurt Knochner ♦

Hi, Kurt Pls refer to following link for a screen capture of one DEPI control packets. you can see the l2tp header right next to IP header and session id is 0. I think we can use something like ip[x:y] to represent the session id field but not sure the exact syntax. https://dl.dropboxusercontent.com/u/83185044/Screen%20Shot%202014-02-16%20at%2010.58.23%20AM.png

(15 Feb '14, 19:04) guyin
1

see the ++ UPDATE ++ in my answer.

(16 Feb '14, 03:03) Kurt Knochner ♦

Hi, Kurt

Thanks a lot for your help! the "ip proto l2tp && ip[20:4]==0" works fine w/ my case. of course it's not complete just simple to match my specific case. thanks again for your help!

(17 Feb '14, 19:16) guyin

Of course that's a bit easier to read ;-))

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up)

(17 Feb '14, 22:34) Kurt Knochner ♦
showing 5 of 6 show 1 more comments