Wireshark-dev: Re: [Wireshark-dev] Qestion about Wireshark parsing PPP protocol???
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 27 Oct 2006 12:12:58 +0200 (CEST)
Hi,

The short answer is: yes this is PPP.

The long answer is: With recent versions of WinPcap and Windows (don't ask
details) it is possible to capture this stuff on a serial link (dialup
conection). It is conviniently wrapped in a pseudo Ethernet header and
handed to Wireshark to display. So you get to see PPP LCP, CHAP and NCP's
for IP etc. And for the rest the datapackets as if they were send on an
Ethernet link.

Thanx,
Jaap

On Fri, 27 Oct 2006, Mosly Chang wrote:

> Hi everyone!!
> I have some question wireshark parsing.
> When I try to understand PPP protocol,I find some material about  it.
> I  can see it is  Data Link layer protocol.,so I think it have no DA SA
> compared to the most general packet format EthernetII.
> It's frame format is  " Flag + Address + Control + Protocol +Information
> +FCS ".
> The "Protocol" indicates what is the upper-layer protocol, such as IP,
> IPX,LCP.
> By this reasoning, I guess Wireshark cann't parse PPP protocol.
> But I just try to find sample packet file in Wireshark Wiki
> http://wiki.wireshark.org/SampleCaptures#head-5d1cb7d95d26641c61a5ba82ab7c0c76c08133e7
> I am Surprised that it have PPP file .
> In  PPPHandshake.cap
> <http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=PPPHandshake.cap>
> ,the first packet is the follow ing form:
> ................
> EthernetII:
>            Destination  :xxxxxxxxx
>            Source, xxxxxxxx
>            Type unknown (0xc223)
> PPP Challenge Handshark Authenticaiton Protocol
>            Code: Failure(0x04)
>            Identifier:0x00
>            Length:52
> ......
>
> Is this PPP protocol???? Who knows about it ?
> Thanks a lot!!!
>