Discussion:
How to decode nested l2tp traffic?
Joan
2014-05-22 16:31:51 UTC
Permalink
I am trying to extract the data transmitted into a l2tp tunnel, I am
running thsark/tcpdump in the tunnel terminator. What I am using so far is
this (4291 is the tunnel number):
tcpdump -n -i eth3.800 "udp port 1701 && udp[8:2] & 0x80ff == 0x0002 &&
udp[10:2] == 4291"

I took the filter line from here
http://networkingbodges.blogspot.com.es/2012/11/tshark-one-liners.html

The problem is that I would like to inspect the traffic inside the tunnel,
but I could'nt find a reference on this.

Any clues?
Patrick Klos
2014-05-22 18:13:04 UTC
Permalink
Post by Joan
I am trying to extract the data transmitted into a l2tp tunnel, I am
running thsark/tcpdump in the tunnel terminator. What I am using so
tcpdump -n -i eth3.800 "udp port 1701 && udp[8:2] & 0x80ff == 0x0002
&& udp[10:2] == 4291"
I took the filter line from here
http://networkingbodges.blogspot.com.es/2012/11/tshark-one-liners.html
The problem is that I would like to inspect the traffic inside the
tunnel, but I could'nt find a reference on this.
Any clues?
Can you share a pcap file? I could run it through PacketView (which
de-tunnels L2TP) and see if it helps??

Patrick Klos
Klos Technologies, Inc.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Joan
2014-05-22 20:47:40 UTC
Permalink
Unfortunately there is private data in that stream so I can't share it,
other than this software you are saying, is there any other way to unwrap
the l2tp traffic?
Post by Patrick Klos
Post by Joan
I am trying to extract the data transmitted into a l2tp tunnel, I am
running thsark/tcpdump in the tunnel terminator. What I am using so far is
tcpdump -n -i eth3.800 "udp port 1701 && udp[8:2] & 0x80ff == 0x0002 &&
udp[10:2] == 4291"
I took the filter line from here http://networkingbodges.
blogspot.com.es/2012/11/tshark-one-liners.html
The problem is that I would like to inspect the traffic inside the
tunnel, but I could'nt find a reference on this.
Any clues?
Can you share a pcap file? I could run it through PacketView (which
de-tunnels L2TP) and see if it helps??
Patrick Klos
Klos Technologies, Inc.
Guy Harris
2014-05-22 22:40:48 UTC
Permalink
tcpdump -n -i eth3.800 "udp port 1701 && udp[8:2] & 0x80ff == 0x0002 && udp[10:2] == 4291"
I took the filter line from here http://networkingbodges.blogspot.com.es/2012/11/tshark-one-liners.html
The problem is that I would like to inspect the traffic inside the tunnel
"Inspect" in what sense? Wireshark *should* be able to dissect the traffic inside the tunnel; is it not doing so, or do you want to inspect it with some other tool?
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe
Joan
2014-05-23 11:03:08 UTC
Permalink
Basically, what i'd like to have, would be a pcap with the uncapsulated
traffic, so I can further inspect the contents, there's pppoe and others.
Best, would be to do it in realtime, but offline would suffice me too
Post by Joan
Post by Joan
I am trying to extract the data transmitted into a l2tp tunnel, I am
running thsark/tcpdump in the tunnel terminator. What I am using so far is
Post by Joan
tcpdump -n -i eth3.800 "udp port 1701 && udp[8:2] & 0x80ff == 0x0002
&& udp[10:2] == 4291"
Post by Joan
I took the filter line from here
http://networkingbodges.blogspot.com.es/2012/11/tshark-one-liners.html
Post by Joan
The problem is that I would like to inspect the traffic inside the tunnel
"Inspect" in what sense? Wireshark *should* be able to dissect the
traffic inside the tunnel; is it not doing so, or do you want to inspect it
with some other tool?
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
?subject=unsubscribe
Loading...