Hi,
I recently noticed that Wireshark does not seem to support pcap files
with DLT 51 (LINKTYPE_PPP_ETHER/DLT_PPP_ETHER) which is used by the
in-kernel PPPoE implementation (pppoe(4)) in NetBSD and OpenBSD:
$ tshark -r pppoe0-sample-2.pcap # TShark 1.6.5
...
tshark: The file "pppoe0-sample-2.pcap" is a capture for a network type that TShark doesn't support.
(pcap: network type 51 unknown or unsupported)
>From looking at the format Wireshark should be able to handle this
DLT using the existing pppoes dissector.
Please advise whether I should add a corresponding enhancement request
for Wireshark. So far nobody else seems to have missed it and pppoepcap2pcap
works sufficiently well for me.
Regards,
Reinhard
Attachment:
pppoe0-sample-2.pcap
Description: Binary data
#!/bin/sh
tcpdump -tt -xx -r "$@" | awk '
$2 == "PPPoE" {
if (timestamp != "" && hexstr != "") {
gsub(/../, " &", hexstr);
print timestamp, "000000", hexstr;
}
hexstr = "";
timestamp = $1;
pppoenr = NR;
next;
}
pppoenr > 0 && $1 ~ /^0x[0-9a-f]+:$/ {
for (i = 2; i <= NF; i++) {
hexstr = hexstr $i;
}
}
END {
if (timestamp != "" && hexstr != "") {
gsub(/../, " &", hexstr);
print timestamp, "000000", hexstr;
}
}
' | text2pcap -e 0x8864 -q -t %s. /dev/stdin /dev/stdout
