On Thu, 27 Mar 2003, Guy Harris wrote: > Date: Thu, 27 Mar 2003 12:07:00 -0800 > From: Guy Harris <[EMAIL PROTECTED]> > To: Larry Platzek <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [tcpdump-workers] multicast & icmp packet printing > > On Thu, Mar 27, 2003 at 07:05:45AM -0800, Larry Platzek wrote: > > > On Wed, Mar 19, 2003 at 02:44:23PM -0800, Larry Platzek wrote: > > > > tcpdump -i ppp0 'ether[0] & 1 != 0' > > > > This shows the multicast packets. > > > > > > ppp0? What's the definition of a "multicast packet" over PPP? > > Not really sure but anything from 224.???.???.???. > > That's an IP multicast, but there's no such thing as a multicast at the > PPP level (that's what the first two "P"s in "PPP" imply). > > Your capture was done on Linux; given various suckages in the way > PF_PACKET and PPP on Linux work together, it's done in "cooked mode", > which means that the first 2 bytes of the link-layer header are an > indication of the direction in which the packet was sent - 0 if > received, 4 if sent. > > The first of those bytes is always 0, as the direction field is in host > byte order; "ether[0]" tests the first byte of the link-layer header > (regardless of whether it's an Ethernet header or not), and thus, > testing whether the bottommost bit of that byte is non-zero will match > *NO* packets - and, in fact, if I do > > tcpdump -n -r tcpdmp2.log 'ether[0] & 1 != 0' > > on your capture, no packets show up. > > "ether[0] & 1 != 0" would, *in an Ethernet capture*, test for > multicast/broadcast packets. On a PPP capture, however, it would do no > such thing - and, as there's no notion of a multicast or broadcast > packet at the PPP layer, there is no test you can do, on a PPP link, to > find multicast packets at the link layer. You'd have to check for > multicast IP addresses. >
Thank You Guy! I like getting an answer, PLUS the why! I tried using 'ip[16]=224' which seems to work also tried 'ip multicast' and that seems to work. Is one method better than the other? I think the expression I want is 'ip multicast or icmp[0] =8 or icmp[0]=0' this seems to be working for tcpdump. I need to take the expression and place it on pppd's active-filter statement to allow idle timeout to happen. The ip multicast does work as long as icmp echo requests and echo replies are not sent. I would be happy for an answer to make pppd work correctly but I know that this is off topic for this list. Larry Platzek [EMAIL PROTECTED] - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
