On Sun, May 30, 2004 at 12:13:49PM +0000, Lan Hai wrote:
> I download another copy of v0.9.7 from www.ethereal.com site, it doesn't
> work either. I guess the previous 0.9.7 is modified by someone. It is not a
> correct implementation because I found it caused some decoding error (pls
> refer to Ethereal-0.10.4-GRE.JPG and Ethereal-0.9.7-GRE.JPG), the same Hex
> values was decoded as different results.
I don't see that in those two images - the modified 0.9.7 decoded frame
140 as PPP-over-GRE, and the non-modified 0.10.4 decoded it as an
unknown GRE type 0x8881 (just as the non-modified 0.9.7 probably did).
Where is the decoding error?
> If you need the "modified" 0.9.7 please drop me a mail, it's really a big
> file for mail attachment (~8MB).
We'd need the *source code* to the modified 0.9.7; a binary version
wouldn't help - we'd need their modifications so that we could
incorporate them into the standard version of Ethereal.
Note that, as Ethereal is licensed under the GPL, whoever gave you the
version of Ethereal that handles a GRE protocol type of 0x8881 is
*required* to give you the source code to that version if you ask for it
and is *required* to let you give that source code away to anybody you
want to give it to.
> I am confused why 0.10.4 can't decode LCP in the attached cap.
Because standard Ethereal 0.10.4 can't handle a GRE encapsulation type
of 0x8881, just as standard Ethereal 0.9.7 couldn't, either. Therefore,
it doesn't recognize the GRE payload as PPP, and thus doesn't even know
it's PPP and thus doesn't even know that there *is* a PPP payload, much
less that it's LCP. (I.e., this is *NOT* a problem with Ethereal's
ability to dissect LCP, it's a problem with Ethereal's ability to
dissect GRE packets with a GRE encapsulation type of 0x8881.)
See
http://www.ethereal.com/lists/ethereal-dev/200312/msg00174.html
for a response to mail from somebody else who had traffic with a GRE
encapsulation type of 0x8881 - that protocol type probably belongs to
the Telecommunications Industry Association, but I don't know what
they're using it for or where what they're using it for is documented.
It appears that whoever modified the Ethereal 0.9.7 that you're using
calls it "RP Tunnel".
According to a manual for Sniffer Mobile (a version of Network
Associates' Sniffer software for, I think, mobile phone protocols),
0x8881 and 0x880b are "GRE-PPP: PPP as a GRE Protocol Type". The thread
in the ethereal-dev list with my message with the URL above has some
things that suggest that it *might* involve header compression.
It would Really Help if you could get the source to the modifications to
0.9.7 to support all those 3GPP2isms, so we could try to add support for
them in Ethereal. (If whoever gave you the modified Ethereal doesn't
want to give you the source, tell them that the GPL requires them to do
so.)
