Did you try Netmon? (i have not, but figured it's worth a shot)

You can always use nm2lp http://www.inguardians.com/tools/ to convert the netmon capture to libpcap format.

And they never make Linux drivers!

Chris, in order to understand what you want and where you want it, here is a quickie diagram of a ppp setup:




Most devices will begin between 1 and 3 which cannot be sniffed by outside devices as there is no IP going on yet. In order to see what occurs during the setup, you'd need to be in the path of the cellular and device doing the ppp transaction(s). You mention nokia, you can get a sniffer on that device and do some capturing to see what happens.

Now *after the ppp connection* (between 4 and 6) you would need to be somewhere sniffing either on the ppp device or through some insane port mirroring or other. Otherwise AFTER the fact, you're seeing IP (IPCP or IPE, etc). What you may be able to do is mirror the ppp server where the phone would go through the ppp setup by connecting to you first:




In this setup, it would help to sniff on a, c and e. This way you can compare and see who is doing what, where and at which stage. Otherwise the data you may need to see (on the original ASCII diagram) 2,3,4 would never be seen unless you have something to decapsulate the ppp frames.

Anyhow, Nokia has their own packet capture application which should get you to a solid state of understanding what is going on: http://betalabs.nokia.com/apps/nokia-connectivity-analyzer

thanks for the great writeup sil.

It's Cisco's VPN Client doing IPSEC over UDP. Usually people connect their "local" LAN. Be it Home or other location, and then "VPN in" for remote access.

In the case of my testing (where this all came from), I was in the offce and the aircard was the only way to simulate a connection while not on the network.