Wireshark · Ethereal-dev: Re: [ethereal-dev] grabbing ppp packets

[Guy Harris <gharris@xxxxxxxxxxxx>]

> > > I would like to grab the ppp-setup, but when I grab from ppp0, I get packets
> > > as raw-IP. Does anyone know how I can grab all ppp LCP, and NCP packets?
> > 
> > On what operating system?
> 
> Linux 2.2.13
> 
> Problem is that what I get from the ppp-device is only the raw IP-data, not
> the ppp-encapsulation.

I'd have to go dive into the kernel code to see why it's doing that, and
the connection between the link-layer Linux drivers and the SOCK_PACKET
socket code isn't something with which I'm sufficiently familiar that
I'd be able to find the answer quickly (it's easier for me to find the
connection in those OSes where looking for "bpf_" in the source finds
the tap :-)) - does anybody else know why only the IP traffic makes it
up to SOCK_PACKETland?

Or might "libpcap" on this system not be using SOCK_PACKET in the way
the standard Linux "libpcap" does?  What release of which distribution
are you running?