tech-net: libpcap filter issue with ppp device

Subject: libpcap filter issue with ppp device
To: None <thorpej@netbsd.org>
From: None <itojun@iijlab.net>
List: tech-net
Date: 07/25/1999 09:09:49
	Sorry that there are confusion about libpcap (packet detection at
	pppd for automatic dialup).  Now I fonud the source of problem
	but I don't really know how to fix it.

	The source of problem is that bpf link layer encapsulation type
	code is changed from DLT_PPP to DLT_NULL, in sys/net/if_ppp.c,
	between 1.51 and 1.52.


	Prior to sys/net/if_ppp.c change between 1.51 and 1.52,
	ppp packet is encapsulated like this:

>02:20:36.394693 I   88 03 0021: 210.160.95.109 > 210.160.95.108: icmp: echo reply
>                         4500 0054 3ba7 0000 4001 dae7 d2a0 5f6d
>                         d2a0 5f6c 0000 1c59 58af 002f e4f5 9937
>                         1f98 0200 0809 0a0b 0c0d 0e0f 1011 1213
>                         1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
>                         2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
>                         3435 3637

	The data bytes tossed up to userland as layer 2 header are,
	in this case,
		ff 03 00 21
	"0021" equals to PPP_IP, which means that this is IPv4 packet.
	bpf encapsulation type was DLT_PPP.

	After 1.52, bpf encapsulation type is changed to DLT_NULL.
	Therefore, tcpdump cannot check if it is based on ppp encapsulation
	or not.

>15:31:45.478753 ff 03 88 146.164.63.4 > 146.164.64.56: icmp: echo reply
>                         4500 0054 27ae 0000 fe01 f075 92a4 3f04
>                         92a4 4038 0000 ee70 0783 0007 9106 9a37
>                         efc3 0400 0809 0a0b 0c0d 0e0f 1011 1213
>                         1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
>                         2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
>                         3435 3637

	Now tcpdump does not see ppp encapsulation part properly.
	Some of ppp encapsulation bytes may be flipped as well, but I'm not
	sure about it yet.


	The problem wasn't become apparent prior to IPv6 fix to libpcap,
	because no part in libpcap code checked ppp encapsulation part for
	protocol type.  Now, libpcap checks ppp encapsulation part to check
	if it is IPv4 or IPv6, and now the problem becomes apparent.


	Solutions:
	If we need to keep ppp device's bpf encapsulation type to DLT_NULL,
	we need to encapsulate tapped packet like loopback interface does
	in if_ppp.c.  The current code has inconsistency between bpf encap
	type and the actual encapsulation.
>                struct mbuf m0;
>                u_int af = dst->sa_family;
>                m0.m_next = m;
>                m0.m_len = 4;
>                m0.m_data = (char *)&af;
	If we change the bpf encapsulation type to DLT_PPP, I believe the
	problem goes away.

itojun