[plug] network monitoring using ntopng - can't see PPPoE packets

steve boak sboak at westnet.com.au
Fri Apr 28 12:28:24 AWST 2017 

Hi All

I have an NBN satellite connection which is still not yet up to the 
reliability I would like, so I have been investigating methods of 
monitoring the connection.

I have a Rasperry Pi in bridge configuration (extra USB ethernet 
adapter) in line between the router and satellite modem. The router 
establishes a PPPoE session with Westnet, so most of the traffic I 
should see is encapsulated in PPPoE packets.

The Pi works well, I can monitor throughput with interface stats and all 
passing traffic is visible on the bridge port br0 when using tcpdump - 
for example:

11:21:56.072589 PPPoE  [ses 0xe993] LCP, Echo-Request (0x09), id 203, 
length 14
11:21:56.073087 PPPoE  [ses 0xe993] LCP, Echo-Reply (0x0a), id 203, 
length 14

However, when I use iftop, ntop, or the newer ntopng I can only see 
regular IP packets and PPPoE traffic seems to be ignored or hidden.

br0 is in promiscuous mode, and all packets are available because 
tcpdump can see them.

pi at raspberrypi:~ $ ifconfig
br0       Link encap:Ethernet  HWaddr 70:11:24:8c:e7:9b
           inet addr:192.168.100.254  Bcast:192.168.100.255 
Mask:255.255.255.0
           inet6 addr: fe80::7211:24ff:fe8c:e79b/64 Scope:Link
           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500 Metric:1
           RX packets:1315251 errors:0 dropped:44581 overruns:0 frame:0
           TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:1019322018 (972.1 MiB)  TX bytes:355421 (347.0 KiB)

eth0      Link encap:Ethernet  HWaddr b8:27:eb:02:59:76
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1115843 errors:0 dropped:0 overruns:0 frame:0
           TX packets:637565 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:1137978736 (1.0 GiB)  TX bytes:207997192 (198.3 MiB)

eth1      Link encap:Ethernet  HWaddr 70:11:24:8c:e7:9b
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:636600 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1116809 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:193628821 (184.6 MiB)  TX bytes:1158423387 (1.0 GiB)

Is there something I have missed? ntopng looks like it should decode 
PPPoE packets, but all I can see is a few DHCP requests on the 
interface. The same with iftop.

Thanks in advance for any ideas...

Steve

-- 
Steve Boak, VK6HSB, 0411 255 789, P.O. Box 240, Nannup, WA 6275

More information about the plug mailing list