Open lovejotd opened 3 years ago
PhyxionNL
commented
3 years ago Probably a parsing error, if the bytes are correct you can take a look here and try to fix it (a test for this would be useful too): https://github.com/chmorgan/packetnet/blob/2775ea7f8fef4edee445ef7087eaa04a3612c920/PacketDotNet/L2tpPacket.cs#L73
lovejotd
commented
3 years ago I can add a test for it, Doesn't seem as though I have permissions to create a branch
PhyxionNL
commented
3 years ago You don't, but you can create a fork and then submit a PR 🙂
lovejotd
commented
3 years ago Sorry this is my first time... Not sure if I am testing the way you guys are, cause my test is different, I uploaded a PR of my test, Let me know what you think
chmorgan
commented
3 years ago @lovejotd wasn't sure if you saw my comment on your PR. I'd like to look at the packet you captured in Wireshark and look at the test results. Do you have that .pcap file still? If so can you upload it here?
lovejotd
commented
3 years ago @chmorgan No problem, Yes I still have it. I got it from a test capture site - https://packetlife.net/captures/protocol/l2tp/
You can download it here - https://packetlife.net/media/captures/icmp_in_l2tpv3.cap
Let me know if you have any questions
chmorgan
commented
3 years ago @lovejotd alright, so after looking at that capture file and the l2tppacket dissector the issue is that there are multiple versions of l2tp packets. The one being tested is v2 but the one you are testing with is v3. From the RFCs it looks like the format of the packets differs.
I'm also not sure if the parser covers all of the cases for l2tp v2 packets either.
It might make sense to extend that class but there would be properties of the class that wouldn't be valid for some versions of the packet.
chmorgan
commented
3 years ago @lovejotd @PhyxionNL as a heads up the current plan is to make a class that will create the appropriate version of the L2TP packet based upon the version field. Similar to how OspfPacket.ConstructPacket() works. Hope to have it wrapped up in a few days and a PR open.
lovejotd
commented
2 years ago Was there any movement on this? Thanks!
chmorgan
commented
2 years ago @lovejotd I started working on it and got side-tracked due to far too many projects and no immediate use for this.
I can push my work in progress to a branch if you'd like to take a look. It's basically the same approach as we do with other parsers that have multiple versions, we check the version and instantiate the correct version class.
When I run analysis on a L2tp Packet, the session ID is showing up as 0, but when I open the same packet in wireshark, It shows the session ID as 4000? Checking the Bytes, it also looks like it should be 4000.