Blog Archives

Protected: Using Wireshark to Identify Packet Loss on Mediaroom IGMP Flows

This content is password protected. To view it please enter your password below:

Wireshark Filters – PPPoE, DHCP & VLAN ID

Using Filters

Wireshark comes standard with some very good filters. Filtering the displayed packets allows you to focus on relevant information located within the capture.

In this post, I’m going to show you how to filter out DHCP exchanges, PPPoE exchanges and VLAN’s.

Setting the Filter

Click on the filter field to enter the filter options manually, or press the Expression button to start the Wireshark filter expression box. When you are unfamiliar with which protocols you want to filter on, the Expression window allows you to choose each dissector and how the filter is applied (equals, contains, matches, less than, greater than).

VLAN Tag ID

Filtering on a VLAN tag is really quite simple using Wireshark’s built in dissector.

In the filter field, type in:

vlan.id == <put your vlan id here>

Press return to start the filtering process. Wireshark will then go through each packet in the capture file and display only those packets that match the criteria.

DHCP

Filtering for DHCP packets is pretty easy in Wireshark also.

In the filter field, type in:

bootp

Press return to start the filtering process.

PPPoE

PPPoE is a little trickier to decode the entire process, as there are several steps in the process from PADI to IPCP negotitation.

In the filter field, type in:

pppoed or lcp or ipcp or pap or chap

Press return to start the filtering process.

This filter has several components that allow you to capture the entire PPPoE process from beginning to end.
The first part of the filter, pppoed, filters out the PADI, PADO, PADR & PADS exchange. The next step, lcp,  in the process is to negotiate the MTU size, magic number and authentication protocol.

After the lcp negotiation is complete, the user is authenticated via PAP or CHAP. If you have a username or password issue in the modem or BRAS, this is where you will see the negotiation fail.

Once the user is authenticated, we can finally start the IP address negotiation. The ipcp filter will show you the IP address negotiation.

Now that the user is up and authenticated, you will see LCP Echoes between the modem and BRAS. Settings in the modem and BRAS will determine the frequency and size of the echo messages.

Keep in mind that the LCP echo process uses a single ended state machine. What this means is that each end of the link, the modem and the BRAS, keep track of their LCP echoes independently of each other. Whenever either end loses enough consecutive echoes (configurable on the BRAS), it will tear the link down using a PADT. This is a major difference between DHCP leases and PPPoE sessions, either end can tear down the connection. Once a DHCP server issues a lease, that lease is bound until timeout or a DHCP release message is sent.

Using Wireshark

If you don’t have Wireshark in your arsenal, download it now.

Wireshark.org

Wireshark, formerly ethereal, has become the defacto standard for protocol analysis. It is open source, so anyone can build dissectors for any protocol. If you use proprietary protocols in your products, you can create your own dissector, so Wireshark will decode just like any other standard protocol.

In a future post, I will show how to use Wireshark to look for packet loss in Microsoft Mediaroom flows without needing the encryption key.