This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Only the first ppp packet is decoded when I convert a ppp dump using text2pcap

0

I have a ppp stream over a serial port. Each ppp packet contains an IP datagram, with an ICMP message (ping). I have removed the HDLC headers (7E FF 03) from the stream, and I have also corrected the characters escaped with 0x7D.

I convert this ppp dump using text2pcap -l 9 (DLT_PPP protocol), but in the resulting pcap file, only the first ppp packet is decoded, as you can see in the following image:

capture

I have checked the IP length, and it is right. I have also compared my capture with "ppp-dialup-munged.pcap" in https://wiki.wireshark.org/PPP and, in both captures, packets have a two-byte FCS after the IP datagram, just before the next packet.

Why in my case the next packet is not decoded? Should I signal in the raw file where the next packet begins?

The raw file I convert with text2pcap is:

000000 00 21 45 00 00 3C 6E 5D 00 00 80 01 E9 01 C0 A8 
000010 0E 21 08 00 0C 99 00 00 52 5C 02 00 01 00 61 62 
000020 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
000030 73 74 75 76 77 61 62 63 64 65 66 67 68 69 CD 94 
000040 00 21 45 00 00 3C 6E 5E 00 00 80 01 E9 00 C0 A8 
000050 0E 21 08 00 0C 99 00 00 51 5C 02 00 02 00 61 62 
000060 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
000070 73 74 75 76 77 61 62 63 64 65 66 67 68 69 5D 14 
000080 00 21 45 00 00 3C 6E 5F 00 00 80 01 E8 FF C0 A8 
000090 0E 21 08 00 0C 99 00 00 50 5C 02 00 03 00 61 62 
0000A0 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
0000B0 73 74 75 76 77 61 62 63 64 65 66 67 68 69 A1 3C 
0000C0 00 21 45 00 00 3C 6E 60 00 00 80 01 E8 FE C0 A8 
0000D0 0E 21 08 00 0C 99 00 00 4F 5C 02 00 04 00 61 62 
0000E0 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
0000F0 73 74 75 76 77 61 62 63 64 65 66 67 68 69 75 1C 
000100

New packets should start in 0x000000, 0x000040, 0x000080 and 0x0000C0 (the begining is 00 21, IP protocol). Thanks in advance.

asked 07 Jul '15, 01:38

jcibar's gravatar image

jcibar
6114
accept rate: 0%

edited 07 Jul '15, 01:42

2 Answers:

1

There are 4 64 bytes PPP frames in the data so you must add the max packet length parameter to text2pcap of -m 64.

When viewing the capture in Wireshark you should also set the PPP protocol preference "PPP Frame Checksum Type" to "16-Bit".

answered 07 Jul '15, 02:05

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

Finally, I solved the issue restarting the byte count digits when a new packet starts (that is, the new packet starts with 000000):

000000 00 21 45 00 00 3C 6E 5D 00 00 80 01 E9 01 C0 A8 
000010 0E 21 08 00 0C 99 00 00 52 5C 02 00 01 00 61 62 
000020 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
000030 73 74 75 76 77 61 62 63 64 65 66 67 68 69 CD 94 
000040    
000000 00 21 45 00 00 3C 6E 5E 00 00 80 01 E9 00 C0 A8 
000010 0E 21 08 00 0C 99 00 00 51 5C 02 00 02 00 61 62 
000020 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
000030 73 74 75 76 77 61 62 63 64 65 66 67 68 69 5D 14 
000040    
000000 00 21 45 00 00 3C 6E 5F 00 00 80 01 E8 FF C0 A8 
000010 0E 21 08 00 0C 99 00 00 50 5C 02 00 03 00 61 62 
000020 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
000030 73 74 75 76 77 61 62 63 64 65 66 67 68 69 A1 3C 
000040
000000 00 21 45 00 00 3C 6E 60 00 00 80 01 E8 FE C0 A8 
000010 0E 21 08 00 0C 99 00 00 4F 5C 02 00 04 00 61 62 
000020 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 
000030 73 74 75 76 77 61 62 63 64 65 66 67 68 69 75 1C 
000040

Thanks for your help.

answered 09 Jul '15, 06:37

jcibar's gravatar image

jcibar
6114
accept rate: 0%