On Wed, May 07, 2003 at 03:51:08PM -0700, Juhani Siira wrote: > I'm porting a ppp stack and would like to log the ppp > packets and view them to see the traffic from lcp up > to tcp. I've looked at the ethereal files produced > using the win me PPP wan adapter, and it seems the > framing used to store ppp is actually a fake ethernet > frame instead of a PPP frame ie DLT_EN10MB instead of > DLT_PPP.
Yes, that's the way Windows handles PPP - the NDISWAN driver turns received PPP packets into fake Ethernet packets, and turns fake Ethernet packets sent by other stuff in the networking stack into PPP packets. > Does ethereal understand PPP framing so that > I can simply dump the frames from my serial driver to > a file (with appropriate file format)? Yes, although if you're doing raw serial stuff, you need to choose the appropriate file format. pppdump format is probably best, if you're truly dumping *raw* serial data, i.e. what's going over the serial line. I'm not sure where the pppdump format is documented, other than in the comments in "wiretap/pppdump.c", but check that file out. Note that a "time_t" is a standard UNIX-style time_t, i.e. seconds since January 1, 1970, 00:00:00 GMT. The "time step" items are for time stamps, and represent tenths of a second since the last time_t in a "Reset time" record; "send data" and "received data" records hold the actual serial data - use both of those, so Ethereal knows in which direction the data is going. The numbers (time stamps, and byte counts) are big-endian, not little-endian (i.e., they're byte-swapped from the natural byte order on Windows).
