Discussion:
Layer 2 header identification...
(too old to reply)
TDH1978
2017-05-12 21:36:22 UTC
Permalink
I'm hoping someone can point me in the right direction. I have a PCAP
file where the packets do not have an Ethernet header; instead they
have a PPP (Point-to-Point Protocol) header.

I have a few questions.


1. The PPP header I'm seeing in wireshark has the following structure:

Address 0xFF (1 byte)
Control 0x03 (1 byte)
Protocol 0x0021 (2 bytes)
<...followed by IPv4...>

What happened to the 1-byte Flag field (usually set at 0x7E) which
indicates the beginning of the PPP frame?


2. Given that the flag field is missing, how was wireshark still able
to guess the proper format of the packet? The packet format is:

PPP
IPv4
UDP/Teredo
IPv6
ICMPv6


3. Even if the flag field were present, how does wireshark usually
identify the type of Layer 2 header? Does it guess?
Robert Wessel
2017-05-13 04:41:45 UTC
Permalink
On Fri, 12 May 2017 17:36:22 -0400, TDH1978
Post by TDH1978
I'm hoping someone can point me in the right direction. I have a PCAP
file where the packets do not have an Ethernet header; instead they
have a PPP (Point-to-Point Protocol) header.
I have a few questions.
Address 0xFF (1 byte)
Control 0x03 (1 byte)
Protocol 0x0021 (2 bytes)
<...followed by IPv4...>
What happened to the 1-byte Flag field (usually set at 0x7E) which
indicates the beginning of the PPP frame?
2. Given that the flag field is missing, how was wireshark still able
PPP
IPv4
UDP/Teredo
IPv6
ICMPv6
Only if PPP is running an HDLC-like encapsulation, are the 0x7e flags
needed. If the underlying link provides the frame boundaries, PPP can
use those.
Post by TDH1978
3. Even if the flag field were present, how does wireshark usually
identify the type of Layer 2 header? Does it guess?
It depends on the layer 2. On Ethernet, for example, if it's either
the Ethenernet frame type or a SNAP (802.2) header. On a serial link,
there's going to have to be some guessing/configuration required. Some
heuristics are possible, of course: if you're looking at a serial link
and you see something that looks like PPP containing something that
looks like an IP datagram, that may be a good guess.
h***@gmail.com
2017-05-15 20:03:54 UTC
Permalink
Post by TDH1978
I'm hoping someone can point me in the right direction. I have a PCAP
file where the packets do not have an Ethernet header; instead they
have a PPP (Point-to-Point Protocol) header.
I have a few questions.
PPP is a layer 2 protocol that allows for transport of some other
layer 2 protocols. It isn't as general as ethernet with ethertype,
but only allows for those protocols that have been defined.

https://en.wikipedia.org/wiki/Point-to-Point_Protocol

Loading...