On Wed, Aug 21, 2002 at 07:26:26PM +0100, Mr. Adam ALLEN wrote:
> I am looking to be able to capture the PPP packets travelling through my
> PPP interface (ppp0)- local link between two computers.
>
> Although using Ethernet some ethernet-frame information is extracted
> (MAC-addresses), but not Preamble, Start Frame Delimiter....
Few, if any, Ethernet cards supply the raw Ethernet framing to the host,
so there's nothing Ethereal - or any *other* sniffer program that, like
Ethereal, relies on standard network cards to capture Ethernet packets -
can get the Ethernet framing information.
> are the MAC
> addresses just found from the ARP table rather than the Ethernet frame?
No. There's the low-level framing information (preamble, etc.), and
there's the Ethernet frame itself; the card delivers the frame, but not
the framing information, to the host. The frame includes the Ethernet
header, which includes the destination address, source address, and
type/length field.
> What I need to do is view the entire PPP frame; Ethereal seems to only
> grab the IP packet from the ppp frame. Is it possible to view the entire
> frames travelling down a link (maybe need to change source?
On what OS are you doing this?
On most if not all OSes, if you're using PPP-over-HDLC-like-framing, the
PPP driver strips out PPP framing information, and undoes the
bit-stuffing/byte-stuffing, before supplying the frame to other code in
the OS, including the code that delivers packets to user-mode programs.
Furthermore, on some OSes, the PPP header is also either not made
available, as is often the case on Linux, or is, I suspect, transformed
into an Ethernet header for the benefit of higher-layer protocol
modules on Windows.
So it's not that Ethereal is discarding that information - it doesn't
*have* the information.
