Re: PPP compression

[James Carlson <carlsonj@workingcode.com>]

[-- Attachment #1: Type: text/plain, Size: 578 bytes --]

On 12/19/14 12:28, Arthur Paulino wrote:
> I tried to use pppdump with -p and -d. The input file I used was the
> pcap file (packets.pcap) generated by tcpdump.

As I said, pppdump and pcap formats are not at all the same.  You'll
have to convert to go this route.

Attached is a quick-and-dirty program I wrote to convert from the Linux
libpcap variant and PPTP encapsulation you seem to be using and simple
pppdump format.  I didn't bother with timestamps or other bits.  Maybe
it'll work for you.

-- 
James Carlson         42.703N 71.076W         <carlsonj@workingcode.com>

[-- Attachment #2: pcap2pppd.c --]
[-- Type: text/x-csrc, Size: 8725 bytes --]

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <inttypes.h>
#include <netinet/in.h>

#define MAGIC 0xa1b2c3d4
#define RMAGIC 0xd4c3b2a1

#define ETHERNET 1
#define LINUX_SLL 113

#define ESCAPED(x)	((x) == 0x7D || (x) == 0x7E)
#define PUTESC(x, o)	\
	if (ESCAPED(x)) { \
		putc(0x7D, (o)); \
		putc((x) ^ 0x20, (o)); \
	} else { \
		putc((x), (o)); \
	}

typedef struct pcap_hdr_s {
        uint32_t magic_number;   /* magic number */
        uint16_t version_major;  /* major version number */
        uint16_t version_minor;  /* minor version number */
        int32_t  thiszone;       /* GMT to local correction */
        uint32_t sigfigs;        /* accuracy of timestamps */
        uint32_t snaplen;        /* max length of captured packets, in octets */
        uint32_t network;        /* data link type */
} pcap_hdr_t;

typedef struct pcaprec_hdr_s {
	uint32_t ts_sec;
	uint32_t ts_usec;
	uint32_t incl_len;
	uint32_t orig_len;
} pcaprec_hdr_t;

typedef struct linux_sll_s {
	uint16_t packettype;	/* big endian */
	uint16_t arphrd;	/* big endian */
	uint16_t ll_addr_len;	/* big endian */
	uint8_t ll_addr[8];
	uint16_t protocoltype;	/* big endian */
} linux_sll_t;

#define PROTO_IP 0x0800
#define PROTO_PPP 0x880B

typedef enum {
	to_us = 0,
	bcast_by_other,
	mcast_by_other,
	other_to_other,
	from_us
} ptype_t;

static u_short fcstab[256] = {
	0x0000,	0x1189,	0x2312,	0x329b,	0x4624,	0x57ad,	0x6536,	0x74bf,
	0x8c48,	0x9dc1,	0xaf5a,	0xbed3,	0xca6c,	0xdbe5,	0xe97e,	0xf8f7,
	0x1081,	0x0108,	0x3393,	0x221a,	0x56a5,	0x472c,	0x75b7,	0x643e,
	0x9cc9,	0x8d40,	0xbfdb,	0xae52,	0xdaed,	0xcb64,	0xf9ff,	0xe876,
	0x2102,	0x308b,	0x0210,	0x1399,	0x6726,	0x76af,	0x4434,	0x55bd,
	0xad4a,	0xbcc3,	0x8e58,	0x9fd1,	0xeb6e,	0xfae7,	0xc87c,	0xd9f5,
	0x3183,	0x200a,	0x1291,	0x0318,	0x77a7,	0x662e,	0x54b5,	0x453c,
	0xbdcb,	0xac42,	0x9ed9,	0x8f50,	0xfbef,	0xea66,	0xd8fd,	0xc974,
	0x4204,	0x538d,	0x6116,	0x709f,	0x0420,	0x15a9,	0x2732,	0x36bb,
	0xce4c,	0xdfc5,	0xed5e,	0xfcd7,	0x8868,	0x99e1,	0xab7a,	0xbaf3,
	0x5285,	0x430c,	0x7197,	0x601e,	0x14a1,	0x0528,	0x37b3,	0x263a,
	0xdecd,	0xcf44,	0xfddf,	0xec56,	0x98e9,	0x8960,	0xbbfb,	0xaa72,
	0x6306,	0x728f,	0x4014,	0x519d,	0x2522,	0x34ab,	0x0630,	0x17b9,
	0xef4e,	0xfec7,	0xcc5c,	0xddd5,	0xa96a,	0xb8e3,	0x8a78,	0x9bf1,
	0x7387,	0x620e,	0x5095,	0x411c,	0x35a3,	0x242a,	0x16b1,	0x0738,
	0xffcf,	0xee46,	0xdcdd,	0xcd54,	0xb9eb,	0xa862,	0x9af9,	0x8b70,
	0x8408,	0x9581,	0xa71a,	0xb693,	0xc22c,	0xd3a5,	0xe13e,	0xf0b7,
	0x0840,	0x19c9,	0x2b52,	0x3adb,	0x4e64,	0x5fed,	0x6d76,	0x7cff,
	0x9489,	0x8500,	0xb79b,	0xa612,	0xd2ad,	0xc324,	0xf1bf,	0xe036,
	0x18c1,	0x0948,	0x3bd3,	0x2a5a,	0x5ee5,	0x4f6c,	0x7df7,	0x6c7e,
	0xa50a,	0xb483,	0x8618,	0x9791,	0xe32e,	0xf2a7,	0xc03c,	0xd1b5,
	0x2942,	0x38cb,	0x0a50,	0x1bd9,	0x6f66,	0x7eef,	0x4c74,	0x5dfd,
	0xb58b,	0xa402,	0x9699,	0x8710,	0xf3af,	0xe226,	0xd0bd,	0xc134,
	0x39c3,	0x284a,	0x1ad1,	0x0b58,	0x7fe7,	0x6e6e,	0x5cf5,	0x4d7c,
	0xc60c,	0xd785,	0xe51e,	0xf497,	0x8028,	0x91a1,	0xa33a,	0xb2b3,
	0x4a44,	0x5bcd,	0x6956,	0x78df,	0x0c60,	0x1de9,	0x2f72,	0x3efb,
	0xd68d,	0xc704,	0xf59f,	0xe416,	0x90a9,	0x8120,	0xb3bb,	0xa232,
	0x5ac5,	0x4b4c,	0x79d7,	0x685e,	0x1ce1,	0x0d68,	0x3ff3,	0x2e7a,
	0xe70e,	0xf687,	0xc41c,	0xd595,	0xa12a,	0xb0a3,	0x8238,	0x93b1,
	0x6b46,	0x7acf,	0x4854,	0x59dd,	0x2d62,	0x3ceb,	0x0e70,	0x1ff9,
	0xf78f,	0xe606,	0xd49d,	0xc514,	0xb1ab,	0xa022,	0x92b9,	0x8330,
	0x7bc7,	0x6a4e,	0x58d5,	0x495c,	0x3de3,	0x2c6a,	0x1ef1,	0x0f78
};

static void
debug(const char *fmt, ...)
{
#if 0
	va_list ap;

	va_start(ap, fmt);
	vprintf(fmt, ap);
	va_end(ap);
#endif
}

static uint32_t
readu32(uint32_t *vptr, int reversed)
{
	uint32_t value = *vptr;

	if (reversed)
		value = (value << 24) | ((value << 8) & 0xff0000) |
			((value >> 8) & 0xff00) | (value >> 24);
	return value;
}

static void
process(FILE *fin, FILE *fout, char *filename)
{
	pcap_hdr_t hdr;
	size_t rlen, slen;
	int reversed;
	uint32_t network;
	uint8_t *packet;
	uint32_t addr_from = 0; /* arbitrary to/from */

	rlen = fread(&hdr, 1, sizeof (hdr), fin);
	if (rlen < sizeof (hdr)) {
		fprintf(stderr, "pcap2pppd: missing header on %s\n", filename);
		return;
	}
	if (hdr.magic_number == MAGIC) {
		reversed = 0;
	} else if (hdr.magic_number == RMAGIC) {
		reversed = 1;
	} else {
		fprintf(stderr, "pcap2pppd: bad magic number on %s\n", filename);
		return;
	}
	network = readu32(&hdr.network, reversed);
	if (network != LINUX_SLL) {
		fprintf(stderr, "pcap2pppd: unsupported network type %d in %s\n", network, filename);
		return;
	}
	slen = readu32(&hdr.snaplen, reversed);
	if (slen < 1024)
		slen = 1024;
	else if (slen > 65536)
		slen = 65536;
	packet = malloc(slen);
	for (;;) {
		struct {
			pcaprec_hdr_t pcaprec;
			linux_sll_t sll;
		} phdr;
		uint32_t plen;
		int hlen, i;
		uint16_t gtype, ilen, fcs;
		uint32_t ipaddr;

		rlen = fread(&phdr, 1, sizeof (phdr), fin);
		if (rlen < sizeof (phdr))
			break;
		plen = readu32(&phdr.pcaprec.incl_len, reversed);
		if (plen > slen)
			plen = slen;
		/* pcap's packet length includes the Linux SLL header */
		if (plen < sizeof (phdr.sll)) {
			fprintf(stderr, "pcap2pppd: packet without SLL in %s\n", filename);
			break;
		}
		plen -= sizeof (phdr.sll);
		/* now read the actual payload from the file */
		rlen = fread(packet, 1, plen, fin);
		if (rlen < plen) {
			fprintf(stderr, "pcap2pppd: truncated packet at end of %s\n", filename);
			break;
		}
		if (ntohs(phdr.sll.protocoltype) != PROTO_IP) {
			debug("ignore sll proto %d\n",
			      ntohs(phdr.sll.protocoltype));
			continue;
		}
		/* check for IPv4 */
		if ((packet[0] & 0xF0) != 0x40) {
			debug("ignore bad IP type %02x\n", packet[0]);
			continue;
		}
		hlen = (packet[0] & 0xF) << 2;
		if (hlen < 20 || hlen > rlen) {
			debug("ignore bad IP header len %d\n", hlen);
			continue;
		}
		ilen = (packet[2] << 8) + packet[3];
		if (hlen > ilen) {
			debug("ignore bad IP header len %d\n", hlen);
			continue;
		}
		if (ilen > rlen)
			ilen = rlen;
		ipaddr = (packet[12] << 24) | (packet[13] << 16) |
			(packet[14] << 8) | packet[15];
		if (addr_from == 0) {
			debug("arbitrarily choosing %08x as sender.\n", ipaddr);
			addr_from = ipaddr;
		}
		/* check for some form of GRE */
		if (packet[9] != 0x2F) {
			debug("ignore non-GRE protocol %02x\n", packet[9]);
			continue;
		}
		if (ilen < hlen + 2) {
			debug("ignore GRE missing header (%d < %d)\n",
			      ilen, hlen + 2);
			continue;
		}
		/* check for PPTP's non-standard GRE */
		if (!(packet[hlen] & 0x20) || (packet[hlen + 1] & 3) != 1) {
			debug("ignore non-PPTP GRE\n");
			continue;
		}
		gtype = (packet[hlen + 2] << 8) | packet[hlen + 3];
		if (gtype != PROTO_PPP) {
			debug("ignore unexpected GRE payload type %04x\n",
			      gtype);
			continue;
		}
		/* This next line would be correct for real GRE. */
		/* hlen += (packet[hlen] & 0x80) ? 8 : 4; */
		/* This is for Microsoft's weird PPTP GRE. */
		hlen += 8 + ((packet[hlen] & 0x10) ? 4 : 0) +
			((packet[hlen + 1] & 0x80) ? 4 : 0);
		if (ilen <= hlen) {
			debug("ignore GRE without payload\n");
			continue;
		}
		/* Encode the remainder */
		if (phdr.sll.packettype == from_us) {
			putc(0x01, fout);
		} else if (phdr.sll.packettype == to_us) {
			putc(0x02, fout);
		} else {
			putc((ipaddr == addr_from ? 0x01 : 0x02), fout);
		}
		plen = ilen - hlen;
		debug("encoding packet of length %u\n", plen);
		/* first, scan for escapes and add them up */
		fcs = 0xFFFF;
		for (i = hlen; i < ilen; i++) {
			if (ESCAPED(packet[i]))
				plen++;
			fcs = (fcs >> 8) ^ fcstab[(fcs ^ packet[i]) & 0xFF];
		}
		fcs ^= 0xFFFF;
		/* then account for the final FCS and 0x7E */
		plen += 3;
		if (ESCAPED((fcs >> 8) & 0xFF))
			plen++;
		if (ESCAPED(fcs & 0xFF))
			plen++;
		putc((plen >> 8) & 0xFF, fout);
		putc(plen & 0xFF, fout);
		while (hlen < ilen) {
			PUTESC(packet[hlen], fout);
			hlen++;
		}
		PUTESC(fcs & 0xFF, fout);
		PUTESC((fcs >> 8) & 0xFF, fout);
		putc(0x7E, fout);
	}
	free(packet);
}

int
main(int argc, char **argv)
{
	int retv = -1;

	if (argc <= 1) {
		process(stdin, stdout, "stdin");
		retv = 0;
	} else {
		char *filename;
		while ((filename = *++argv) != NULL) {
			FILE *fin = fopen(filename, "r");
			FILE *fout;

			if (fin == NULL) {
				perror(filename);
			} else {
				char *cp = strstr(filename, ".pcap");
				size_t slen = strlen(filename);
				char *oname;

				if (cp != NULL)
					slen = cp - filename;
				oname = malloc(slen + 9);
				strncpy(oname, filename, slen);
				strcpy(oname + slen, ".pppdump");
				fout = fopen(oname, "w");
				if (fout == NULL) {
					perror(oname);
				} else {
					process(fin, fout, filename);
					retv = 0;
					fclose(fout);
				}
				fclose(fin);
				free(oname);
			}
		}
	}
	return retv;
}