Wireshark Filters – PPPoE, DHCP & VLAN ID

Using Filters

Wireshark comes standard with some very good filters. Filtering the displayed packets allows you to focus on relevant information located within the capture.

In this post, I’m going to show you how to filter out DHCP exchanges, PPPoE exchanges and VLAN’s.

Setting the Filter

Click on the filter field to enter the filter options manually, or press the Expression button to start the Wireshark filter expression box. When you are unfamiliar with which protocols you want to filter on, the Expression window allows you to choose each dissector and how the filter is applied (equals, contains, matches, less than, greater than).

VLAN Tag ID

Filtering on a VLAN tag is really quite simple using Wireshark’s built in dissector.

In the filter field, type in:

vlan.id == <put your vlan id here>

Press return to start the filtering process. Wireshark will then go through each packet in the capture file and display only those packets that match the criteria.

DHCP

Filtering for DHCP packets is pretty easy in Wireshark also.

In the filter field, type in:

bootp

Press return to start the filtering process.

PPPoE

PPPoE is a little trickier to decode the entire process, as there are several steps in the process from PADI to IPCP negotitation.

In the filter field, type in:

pppoed or lcp or ipcp or pap or chap

Press return to start the filtering process.

This filter has several components that allow you to capture the entire PPPoE process from beginning to end.
The first part of the filter, pppoed, filters out the PADI, PADO, PADR & PADS exchange. The next step, lcp,  in the process is to negotiate the MTU size, magic number and authentication protocol.

After the lcp negotiation is complete, the user is authenticated via PAP or CHAP. If you have a username or password issue in the modem or BRAS, this is where you will see the negotiation fail.

Once the user is authenticated, we can finally start the IP address negotiation. The ipcp filter will show you the IP address negotiation.

Now that the user is up and authenticated, you will see LCP Echoes between the modem and BRAS. Settings in the modem and BRAS will determine the frequency and size of the echo messages.

Keep in mind that the LCP echo process uses a single ended state machine. What this means is that each end of the link, the modem and the BRAS, keep track of their LCP echoes independently of each other. Whenever either end loses enough consecutive echoes (configurable on the BRAS), it will tear the link down using a PADT. This is a major difference between DHCP leases and PPPoE sessions, either end can tear down the connection. Once a DHCP server issues a lease, that lease is bound until timeout or a DHCP release message is sent.

Using Wireshark

If you don’t have Wireshark in your arsenal, download it now.

Wireshark.org

Wireshark, formerly ethereal, has become the defacto standard for protocol analysis. It is open source, so anyone can build dissectors for any protocol. If you use proprietary protocols in your products, you can create your own dissector, so Wireshark will decode just like any other standard protocol.

In a future post, I will show how to use Wireshark to look for packet loss in Microsoft Mediaroom flows without needing the encryption key.

Sample SecureCRT logon script in Python

Here is a very simple login script written in Python for SecureCRT.

# $language = “Python”
# $interface = “1.0”

### Basic Login Script
###############################################################################

def main():
crt.Screen.Synchronous = True

###    Send login and wait for Password prompt
crt.Screen.Send(“ADMIN\r”)
crt.Screen.WaitForString(“word:”)

###    Send the password
crt.Screen.Send(“PASSWORD\r”)

main()

SecureCRT

SecureCRT

The best terminal program you can use.

Supports both Telnet and SSH.

Scripting can be done in either Visual Basic Script or Python. These powerful languages allow for tight integration with files and other programs located on your computer.
I’ll post sample scripts in the future.

An old dog learns a new trick

They say necessity is the mother of invention. I had a large project at work these last few months. It involved gathering obscene amounts of data and then mashing it all together into a coherent human readable output.

The data itself wasn’t hard to obtain, but it was tedious and time consuming. FTP this file, merge with this other file, grep out the stuff I want, move the files some more, process again, etc, etc, etc.

Perl to the rescue!

Since I knew how to navigate all of the systems to obtain the data I needed, it seemed silly to waste time doing it manually (did I mention it was tedious?). I talked to one of the most respected programmers in the company and he suggested we start to automate everything we needed using Perl. Sounds great to me! What’s Perl? I’m not much of a programmer, I don’t think my brain works the same way that a computer does. I once took a unix course back in the ’90’s. I failed the course, because I couldn’t write the required shell script needed to pass the course.

Since then, I’ve always considered myself as “programming impaired”. I’ve done some simple ProComm scripts over the years, but nothing fancy. This was way outside my comfort range, but it had to be done.

I went out and purchased “Perl for Dummies” while my developer was putting together the basic framework for me. Once I got the basic program, I took my book and ran with it.

I now have all of the data collection automated and have even gotten to a point where I can spit out reports and mail them to myself.

This basic framework was then sent to some of our professional developers in order to scale it to tens of thousands of nodes. My basic program was converted to Python (as that is their preferred programming language) and is now being deployed by a Tier 1 telecommunications carrier.

See, an old dog CAN learn new tricks!

DSL Chipset Exploit

In all my years of working with DSL, this is only the second time I’ve seen a consumer modem exploited. Surprisingly, this does not happen more. These SOC’s (System On a Chip) are asked to do a lot nowadays, though it’s not surprising someone has exploited them.

Be vigilant with your network traffic.

How I Became Known as The Tick

My boss, who I have worked for longer than anyone else in my career, was attempting to bestow upon the crowd at our annual Sales Meeting , the virtues of my performance the previous year. He used the analogy that my troubleshooting skills were like that of a tick, who burrows into the skin in search of blood, that I never stop until I find the root cause of an issue. My coworkers, who show no mercy, immediately latched onto the idea. I decided to own it, and now I am affectionately known as The Tick.

This is my blog.