I want to capture packets that are either a PPPoE Discovery or Session packet.
Does tcpdump support combining protocols with or? The manpage seems to say so, but it does not seem to work on Raspbian Wheezy with tcpdump 4.6.2 and libpcap 1.6.2.
Then I am opening two tcpdump sessions (in different console windows, same host):
pi@raspberrypi205 $ sudo tcpdump -i eth1 -vvvv pppoed or pppoes
pi@raspberrypi205 $ sudo tcpdump -i eth1 -vvvv pppoes or pppoed
Then I am sending a packet with Scapy 2.2.0:
macIf1 = "00:24:9b:1b:51:be"; macIf2 = "00:24:9b:1b:50:23"; macBroadcast = "ff:ff:ff:ff:ff:ff"
pppoe_discovery = Ether(src=macIf1, dst=macBroadcast)/PPPoED(code=0xa7,sessionid=0x1122)/Raw(load='\x01\x04\x00\x00\x00\x00')
sendp(pppoe_discovery, iface="eth1")
Remarkably, the first tcpdump command captures the packet and the second doesn't. Am I doing something wrong? Is it not possible to run two tcpdump commands at the same time?
pi@raspberrypi205 $ sudo tcpdump -i eth1 -vvvv pppoed or pppoes
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:17:50.174774 PPPoE PADT [ses 0x1122] [AC-Cookie][|pppoe]
pi@raspberrypi205 $ sudo tcpdump -i eth1 -vvvv pppoes or pppoed
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
