strip layers for pppoe and other layer

[biatwc]

Hi

I can't seem to get dshell working with pcaps saved to disk or traffic from an interface. In wireshark the traffic has the pppoe layer above the ethernet layer, and another layer above the pppoe one, which wireshark calls 'Point-to-point Protocol' and is 2 bytes in length.

I've started dshell with --strip= all numbers from 1 to 6, with nothing happening, the pcap definitely has dns traffic in it. --strip requires an int, so what should I give it?

Many thanks

[dev195]

One thing you might want to try is setting the layer-2 decoder from the command line (Dshell defaults to ethernet.Ethernet). For example, you can try something along the lines of:

decode -d <your decoder> --layer2=ppp.PPP <your pcap>

That --layer2 argument works by setting the first dpkt module to use when decoding a raw packet. In that example, we're telling it to use the PPP class in the ppp (Point-to-Point Protocol) module.

I looked briefly at the dpkt source code for ppp.py, however, and noticed an unsettling # XXX - finish later in there, so I can't guarantee everything will work as planned.

I've never, personally, worked with that protocol before, so I don't have any pcap to test my recommendation out. Is there any possibility for you to share the pcap you're using? I understand if that's impossible, but it would help us figure out a solution if the problem persists.

Let us know if that doesn't help, and we can dig further to figure something out for you.

[biatwc]

Here is an sample pcap with pppoe layer. sample.cap.zip

I've tried the --layer2=ppp.PPP with no success.

[traviswparker]

The --strip=n option is designed to remove extra Layer 2 headers before the IP header. In the case of PPPoE we have Ethernet( PPPoE( PPP( IP(...) ) ) ). Dshell's IP decoder expects Layer2( IP(...) ) so we need to remove 2 layers with --strip=2

The other gotcha is the default BPF filter for the DNS decoder is (udp and port 53). This won't work with PPPoE encapsulated traffic, so you need to disable the filter with --bpf=''

Dshell> decode -d dns --strip=2 --bpf='' ~/sample.cap.zip
Enter password for .zip file [default:none]:
dns 2016-04-01 04:18:13          8.8.8.8:53    --    192.168.42.72:53268 ** 49176 A? fpdownload.macromedia.com / CNAME: san-download.adobe.com.edgekey.net, CNAME: e4937.d.akamaiedge.net, A: 104.82.135.83 (ttl 19s) **

[biatwc]

Thanks for that, strangely I get different output using the same capture file, see below:

~/Dshell Dshell> decode -d dns --strip=2 --bpf='' sample.cap WARNING:dns:local variable 'smac' referenced before assignment WARNING:dns:local variable 'smac' referenced before assignment

[traviswparker]

https://github.com/USArmyResearchLab/Dshell/commit/1744f7aadbc25b8cfae2e568331e11a3f6edcab6 fixes that. Grab the latest master branch.