pppoe

Jenkinson, John P (SAIC) John.Jenkinson at bp.com
Sat Aug 8 17:23:23 EDT 2009


indeed
snort sees IP traffic as well
11:25:37.627842 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.671919 PPPoE  [ses 0x45a8] IP 209.165.189.18.cpudpencap > 66.230.109.38.49339: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 4296 0000  ..E..j.!E..hB...
    0x0010:  f311 462a d1a5 bd12 42e6 6d26 0aba c0bb  ..F*....B.m&....
    0x0020:  0054 6092 b2e5 9363 0000 0386 117c dbdd  .T`....c.....|..
    0x0030:  3ff2 0eb5 3010 484d 6fdf 742b f855 54fb  ?...0.HMo.t+.UT.
    0x0040:  fa61 c28a 9e95 1491 47b7 07aa 436a 3a7b  .a......G...Cj:{
    0x0050:  15ff e1d0 3a53 8cd3 a3c4 7aab a390 334c  ....:S....z...3L
    0x0060:  2916 703d 43f6 025a b40b f4af 6fce 7b23  ).p=C..Z....o.{#
11:25:37.867119 PPPoE  [ses 0x45a8] IP 66.230.109.38.49339 > 209.165.189.18.cpudpencap: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 faff 0000  ..E..j.!E..h....
    0x0010:  fe11 82c0 42e6 6d26 d1a5 bd12 c0bb 0aba  ....B.m&........
    0x0020:  0054 d49e f785 2c4e 0000 03e1 1705 3dff  .T....,N......=.
    0x0030:  e97d 0407 99df 4ea7 a8e6 e600 5459 665b  .}....N.....TYf[
    0x0040:  dd44 017e 59fd 7f04 2ace 9575 3858 6102  .D.~Y...*..u8Xa.
    0x0050:  436b 5b12 a9e2 47b1 203c 97eb bbb8 667b  Ck[...G..<....f{
    0x0060:  270d 5a0d 7e85 9d84 1569 7117 b53f 2f56  '.Z.~....iq..?/V
11:25:37.879878 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.885767 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.889949 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.942936 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.942993 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:37.966815 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.231954 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.234886 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.248917 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.254834 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.255817 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.314921 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.317910 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.477834 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.671967 PPPoE  [ses 0x45a8] IP 209.165.189.18.cpudpencap > 66.230.109.38.49339: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 4297 0000  ..E..j.!E..hB...
    0x0010:  f311 4629 d1a5 bd12 42e6 6d26 0aba c0bb  ..F)....B.m&....
    0x0020:  0054 826a b2e5 9363 0000 0387 a390 334c  .T.j...c......3L
    0x0030:  2916 703d 5ae0 2267 b873 cce9 5e01 ccc2  ).p=Z."g.s..^...
    0x0040:  e740 cc8d 4b81 15c9 700f c279 784b b3c5  . at ..K...p..yxK..
    0x0050:  415a d19c 0195 1c68 d587 5152 14c4 c007  AZ.....h..QR....
    0x0060:  c1f3 863e 2235 41ef d184 1c7b 9693 b9ff  ...>"5A....{....
11:25:38.681840 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
11:25:38.867112 PPPoE  [ses 0x45a8] IP 66.230.109.38.49339 > 209.165.189.18.cpudpencap: UDP, length 76
    0x0000:  1100 45a8 006a 0021 4500 0068 fb00 0000  ..E..j.!E..h....
    0x0010:  fe11 82bf 42e6 6d26 d1a5 bd12 c0bb 0aba  ....B.m&........
    0x0020:  0054 4130 f785 2c4e 0000 03e2 bbb8 667b  .TA0..,N......f{
    0x0030:  270d 5a0d 2d8b b4ab 86bb cd63 ccde 4c11  '.Z.-......c..L.
    0x0040:  004b b0b5 9391 7951 59cd a3b7 c16f 42ab  .K....yQY....oB.
    0x0050:  426a 5b8c a80c a321 8e96 67b2 766b 3e68  Bj[....!..g.vk>h
    0x0060:  20a7 1dab c84b a9f2 d784 36f3 ce72 b84f  .....K....6..r.O
11:25:38.899871 PPPoE PADI [Host-Uniq 0x10046100] [Service-Name]
    0x0000:  1109 0000 000c 0103 0004 1004 6100 0101  ............a...
    0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............



From: CS Lee [mailto:geek00l at gmail.com]
Sent: Saturday, August 08, 2009 11:02 AM
To: Jenkinson, John P (SAIC)
Subject: Re: pppoe

hi Jenkinson,

To verify if you are seeing ip traffic(which it should), kindly run tcpdump and see if you see ip traffic.

On Sun, Aug 9, 2009 at 2:41 AM, Jenkinson, John P (SAIC) <John.Jenkinson at bp.com> wrote:

    indeed


    -----Original Message-----
    From: CS Lee [mailto:geek00l at gmail.com]
    Sent: Sat 8/8/2009 10:05 AM
    To: Jenkinson, John P (SAIC)
    Subject: Re: pppoe

    hi Jenkinson,

    Can you visualize your setup? When you say tap you mean inline tap?

    PPPOE modem ------------ Tap --------------- Network Switch

    Is your setup something like this? And you have argus box connected to the Tap and listen to the traffic?


    On Sun, Aug 9, 2009 at 1:37 AM, Jenkinson, John P (SAIC) <John.Jenkinson at bp.com> wrote:


           the network switch  dials and does the pppoe authentication.
           argus and argus clients are the lastest V3 betas as of yesterday from Carter's site.
           the tap feeds the output to a hub/switch and one output of that switch goes to the argus box.
           next step is to add another interface to the argus box, bond the two tap interfaces together and get the hub/switch
           out of the configuration.

    ________________________________

                   From: CS Lee [mailto:geek00l at gmail.com]

           Sent: Saturday, August 08, 2009 9:29 AM

           To: Jenkinson, John P (SAIC)

           Subject: Re: pppoe


           hi Jenkinson,

           Do you use your linux box to dial the modem, or just have the tap in between modem and the dialer, and having the argus box connected to the tap?


           On Sun, Aug 9, 2009 at 12:56 AM, Jenkinson, John P (SAIC) <John.Jenkinson at bp.com> wrote:


                   of course

                   command line
                   /usr/local/sbin/argus -d -i eth1  -m -w /home/netlogs/argus/argus.log &


                   the machine is fedora 11
                   eth1 is a readonly (ip 0.0.0.0) configured up connected to a finstar ethernet tap.
                   the tap is inline from the output of the DSL modem to the network switch feeding the rest of the machines at the location


    ________________________________


-----Original Message-----
From: argus-info-bounces+john.jenkinson=bp.com at lists.andrew.cmu.edu on behalf of Carter Bullard
Sent: Sat 8/8/2009 1:14 PM
To: Jenkinson, John P (SAIC)
Cc: Argus; CS Lee
Subject: Re: [ARGUS] pppoe
 
Hey John, CS Lee,
Having problems?
Carter

On Aug 8, 2009, at 12:56 PM, Jenkinson, John P (SAIC) wrote:


	of course
	
	command line
	/usr/local/sbin/argus -d -i eth1  -m -w /home/netlogs/argus/argus.log &
	
	
	the machine is fedora 11
	eth1 is a readonly (ip 0.0.0.0) configured up connected to a finstar ethernet tap.
	the tap is inline from the output of the DSL modem to the network switch feeding the rest of the machines at the location
	

________________________________

	From: CS Lee [mailto:geek00l at gmail.com] 
	Sent: Saturday, August 08, 2009 8:20 AM
	To: Jenkinson, John P (SAIC)
	Cc: Argus
	Subject: pppoe
	
	
	hey John,
	
	What's your argus command line? And which interface are you running it on? 
	
	-- 
	Best Regards,
	
	CS Lee<geek00L[at]gmail.com>
	
	http://geek00l.blogspot.com
	http://defcraft.net
	






More information about the argus mailing list