Possibly because of this problem. Mailed to linux-net and linux-ppp,
not one response :(. I have tried tracking it down myself but I do not
understand how packets are fed from kernel to tcpdump.
From: Keith Owens <kaos@ocs.com.au>
To: linux-ppp@vger.rutgers.edu, linux-net@vger.rutgers.edu
Subject: tcpdump expects PPP protocol number, missing
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 02 Feb 1997 19:02:57 +1100
Sender: root@ocs4.ocs_net
Linux 2.0.24, ppp 2.2.0f, tcpdump 3.3 (the official Linux version).
"tcpdump -nl -ippp0" works fine and dumps everything coming down the
link. "tcpdump -nl -ippp0 select" shows nothing, for any select value
including ip, icmp, tcp, udp, host a.b.c.d etc. This is not a new
problem, I've seen it since 1.3.54 at tcpdump 3.2 (at least) and it is
still in 2.1.24, I just got annoyed enough to go hunting.
The problem is the tcpdump generated filter code expects the PPP
packets to have a 4 byte encapsulation with x'0021' in bytes 2-3.
kdebug shows incoming packets are fine, 'FF 03 00 21 45 00 00 54',
exactly what tcpdump expects. However by the time the packet gets to
tcpdump, the first 4 bytes are zero, '00 00 00 00 45 00 00 54' instead.
tcpdump only checks for the protocol if you add a selection to the
command so a full dump of ppp works fine.
Why are the ppp encapsulation bytes zeroed before passing to tcpdump?
Ethernet 10 encapsulation is passed correctly and "tcpdump -nl -ieth0
select" works.