Wireshark · Ethereal-dev: [Ethereal-dev] PPPoE under LINUX_SLL - Ethereal does not recognize the direction for VJ Compressed p

[Ben Peddell <klightspeed@xxxxxxxxxxxxxxxx>]

I've been playing with Ethereal over the past couple of days (only 
discovered it a couple of days ago).
I'm trying to find a libpcap protocol where Ethereal recognizes the 
direction, but no luck yet.
I know that converting pppdump format directly to libpcap format 
(specifically using the PPP link layer) through Ethereal gets rid of the 
direction bit, so I've made a perl script that converts the pppdump 
output into a libpcap file masquerading as PPPoES under SLL (currently 
_without_ the help of libpcap). But Ethereal still complains that the 
direction is unknown (even though sent packets become "Sent by us" and 
received packets become "Unicast to us" in the SLL header) when it 
encounters VJ Compressed packets ("PPPoES VJ compressed TCP (direction 
unknown)").
I guess I could evolve my perl script to understand the TCP/IP protocol 
and the PPP protocol, instead of passing everything almost completely 
unmodified to the PPPoES protocol. At the moment, it's basically a hack. 
The first packet is a null packet at the moment.

Heres some (compressed) output from Ethereal to show what I mean about 
Ethereal not understanding the direction with libpcap.

Frame 38 (28 bytes on wire, 28 bytes captured)
...
Linux cooked capture
   Packet type: Sent by us (4)
...
   Protocol: PPPoE Session (0x8864)
PPP-over-Ethernet Session
...
Point-to-Point Protocol
   Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
   Change mask: 0x0c
...
   TCP checksum: 0x97a9
   Ack delta: 10
   Sequence delta: 140

Frame 39 (330 bytes on wire, 330 bytes captured)
...
Linux cooked capture
   Packet type: Unicast to us (0)
...
   Protocol: PPPoE Session (0x8864)
PPP-over-Ethernet Session
...
Point-to-Point Protocol
   Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
   Change mask: 0x3c
...
   TCP checksum: 0xc3b3
   Ack delta: 140
   Sequence delta: 10
   IP ID delta: 110
   TCP payload

Compared to straight from the pppdump file:

Frame 37 (8 bytes on wire, 8 bytes captured)
...
   Point-to-Point Direction: Sent (0)
Point-to-Point Protocol
   Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
   Change mask: 0x0c
...
   TCP checksum: 0x97a9
   Ack delta: 10
   Sequence delta: 140
   TCP payload
Internet Protocol, Src Addr: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst 
Addr: xx.xx.xxx.xxx (xx.xx.xxx.xxx)
...
Transmission Control Protocol, Src Port: xxxxx (xxxxx), Dst Port: xxxx 
(xxxx), Seq: 141, Ack: 11, Len: 2
...

Frame 38 (310 bytes on wire, 310 bytes captured)
...
   Point-to-Point Direction: Received (1)
Point-to-Point Protocol
   Protocol: VJ compressed TCP (0x002d)
PPP VJ Compression: Compressed data
   Change mask: 0x3c
...
   TCP checksum: 0xc3b3
   Ack delta: 140
   Sequence delta: 10
   IP ID delta: 110
   TCP payload
Internet Protocol, Src Addr: xx.xx.xxx.xxx (xx.xx.xxx.xxx), Dst Addr: 
xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
...
Transmission Control Protocol, Src Port: xxxx (xxxx), Dst Port: xxxxx 
(xxxxx), Seq: 11, Ack: 141, Len: 303
...