+(65) 8344 4290 Ciscodumps.net@gmail.com Room 907, Block B, Baoneng Entrepreneurship Center, Guangrong Road, Hongqiao District, Tianjin

ThinkMo EDU Share – network 10.Detailed explanation of PPTP protocol and message analysis

蒂娜 No Comments 10/19/2022

ThinkMo EDU Share – network 10.Detailed explanation of PPTP protocol and message analysis

PPTP is a point-to-point tunneling protocol, a VPN tunneling technology based on PPP protocol. It has a history of more than 20 years. At present, there are these widely used VPN protocols. Mainly PPTP, L2TP, IPsec, OpenVPN, SSTP, IKEv2, etc. PPTP protocol relies on encryption, authentication and end-to-end protocol (PPP) negotiation. Essentially, it only needs user name, password and server address to create a connection.

PPTP protocol

PPTP protocol is not a standard recommended by IETF, but developed by an industrial alliance formed by Microsoft, 3Com and other manufacturers. RFC 2637 issued in July 1999 is the first official PPTP specification.

PPTP defines the connection between a set of messages PNS sent as TCP data and a given PAC on the control. TCP session establishes control connection port 1723 by starting TCP connection with the following devices. The source port is assigned to any unused port number. Every PPTP control connection message starts with a fixed 8 octets in the header part. This fixed header contains the following contents: total message length, PPTP message type indicator and “Magic Cookie”.

Magic Cookie is always sent as a constant 0x1A2B3C4D. Its basic purpose is to let the receiver ensure that it is correctly synchronized with TCP data stream. It should not be used as a method to resynchronize TCP data flows when the sender sends a malformed message. The loss of synchronization of must cause the control to immediately close the connected TCP session.

For clarity, all “control connection” message template parts in the next one include the entire PPTP control connection message header. Numbers beginning with 0x are hexadecimal values.

Start-Control-Connection-Request 1Start-Control-Connection-Reply 2Stop-Control-Connection-Request 3Stop-Control-Connection-Reply 4Echo-Request 5Echo-Re ply 6(Call Management) Outgoing-Call-Request 7Outgoing-Call-Reply 8Incoming-Call-Request 9Incoming-Call-Reply 10Incoming-Call-Connected 11Call-Clear-Request 12Call-Disconnect-Notify 13WAN-Error-Notify 14Set-Link-Info 15

Control connection request and message format.

Start-control-connection-request is a PPTP control message used to establish a control connection between PNS and PAC. Every PNS-PAC pair needs a dedicated control connection. A control connection must be established first, and other PPTP messages can be sent. The establishment of control connection can be initiated by PNS or PAC.

Start control connection request, which is used to initialize the Tunnel between PPTP Client and Server and start the Tunnel establishment process.

Message format of start-control-connection-request

Length: The total length (in octets) of this PPTP message, including the entire PPTP header.

PPTP Message Type: 1 is a control message.

Magic Cookie:0x1A2B3C4D。 Use this constant as the integrity check of the received message.

Message type: control message type 1 of start-control-connection-request.

Reserved0: This field must be 0.

Protocol: The sender wants to use the version of PPTP protocol.

Reserved1: This field must be 0.

Framing Capabilities: information that the sender of this message can provide. The currently defined bit settings are: 1- support asynchronous frames and 2- support synchronous frames.

Bearer Capabilities: The capabilities of the sender of this message can be provided. The currently defined bit settings are: 1- support analog access 2- support digital access.

Maximum Channels: the total number of single PPP sessions that this PAC can support. At the beginning of control-connection request issued by PNS, this value should be set to 0. Must be ignored by PAC.

Firmware Revision: this field contains the number of the firmware version issuing PAC (issued by) PAC or the version driver of PNS PPTP.

Host Name: a 64-byte field containing DNS name issuing PAC or PNS. If it is less than 64 octets, the remaining fields should be filled with the value 0 of the octet.

Vendor Name: 64 octet fields containing vendors describe the specific string of PAC type being used or the type of PNS software if this request is made by PNS. If the length is less than 64 octets, the rest of the field should be filled with the value of octets as 0.

Start control connection reply.

Start-Control-Connection-Reply is the PPTP control message sent in it to reply to the received start control connection request message. This message contains the result code connection attempt indicating the result of the control.

Start the control connection reply, indicating that the connection request of the opposite end is accepted, and the Tunnel establishment process can continue.

Message format of Start-Control-Connection-Reply

Type 2 of control message of Start-Control-Connection-Reply.


Outgoing-Call-Request is a PPTP control message sent by PNS to PAC to indicate that the outgoing call from PAC is established. The request provided PAC with the required information to make a phone call. It also provides PAC with the following information: once the data transmission used to regulate this session to PNS is established.

The PPTP Client sends an Outgoing Call Request, creates a tunnel, and selects a PPTP tunnel used to send data from the client to the server as the calling ID.

Outgoing-Call-Request message format

Message type: Control Message Type 7.

Call ID: a unique identifier, which is unique to a specific object. PNS are assigned to this PAC-PNS pair meeting. It is used to multiplex and demultiplex the data sent through the tunnel and meet between PNS and PAC.

Call Serial Number: The identifier conference assigned by PNs to identify the specific session information in the session recorded for this purpose. Unlike “CALL ID”, PNS and PAC are associated with the same call sequence to give the session number. This combined IP address and call sequence number are unique.

Minimum BPS: the lowest acceptable linear speed (in bits per second).

Maximum BPS: the highest acceptable linear speed (in bits per second).

Bearer Type: The currently defined values required to dial out the phone at this time indicating the carrying capacity are:

1- Dial the analog telephone channel.

2- Dial the digital telephone channel.

3- You can call any type of telephone channel.

Framing Type: The value indicating PPP frame type is used for this outgoing call.

1- Called to use asynchronous frames.

2- Called to use the sync frame.

3- Call can use any of the following types of frames.

Packet Processing Delay: the measurement of packet processing delay may be imposed on PNS sent to PAC. Specify the value in 1/10th of a second. For PNS, the quantity should be small.

Number length: actual effective digits.

Reserved1: This field must be 0.

Phone Number: Establish the outgoing session of the number to be dialed by this number. This field is an ASCII string for ISDN and analog calls. If the phone number length is less than 64 octets, the rest of this field is filled with octets of the value.

Subaddress: a 64-byte field used to specify other dialing information. If the subaddress is less than 64 octets in length, the rest of this field is filled with octets with a value of 0.


Outbound-call-reply is the PNS to which the PPTP control message sent by PAC responds to the received outbound request message. The reply of indicates the result of the outgoing call attempt. It is also a telephone that provides PNS with information about specific parameters. It provides information to allow PNS specification to transfer data to PAC of this session.

The PPTP Server returns the Outgoing Call Reply, and the tunnel creation is successfully answered. Select a call ID that identifies the PPTP tunnel used to send data from the server to the client.

Outgoing-Call-Reply message format

Result Code: The current valid values are:

1 (Connected)-The call was established with no errors.

2 (General Error)-Unsigned calls establish error codes according to the indicated reasons.

3 (No carrier)-The outgoing call failed because the carrier was not detected.

4 (Busy)-Power failure detection busy tone due to the following reasons

5 (No dial tone)-The outgoing call failed due to the lack of dial tone.

6 (Time-out)-The outgoing call establishes PAC within the specified time.

7 (Not accepted)-It is administratively forbidden to make outgoing calls.


Setting the link information message is a PPTP control message sent by PNS to PAC to set the option of PPP negotiation. Because these options can be changed at any time during the call, PAC must be able to dynamically update its internal call information and perform PPP to negotiate in the active PPP session.

PPTP Client sends a Set-Link-Info to specify PPP negotiation options. So far, the control layer connection of PPTP has been established.

Set-Link-Info message format

Send ACCM: the sending ACCM value that the client should use to process outgoing PPP packets. Default Value The value used by the customer before this message received 0XFFFFFFFF.

Receive ACCM: The client should use the received ACCM value to process the incoming PPP packet. Default Value The value used by the customer before this message received 0XFFFFFFFF.

Implementation of PPTP message parsing code

int main(int argc, char* argv[])


char errbuf[1024];

pcap_t *desc = 0;

char *filename = argv[1];

if (argc ! = 2)


printf(“usage: ./pptp_test [pcap file]\n”);

return -1;


printf(“ProcessFile: process file: %s\n”, filename);

if ((desc = pcap_open_offline(filename, errbuf)) == NULL)


printf(“pcap_open_offline: %s error! \n”, filename);

return -1;


pcap_loop(desc, pkt_number, (pcap_handler)ace_pcap_hand, NULL);


return 0;


Compile and run


The PPTP control connection is established between the IP address of PPTP client and the IP address of PPTP server. PPTP client uses dynamically allocated TCP port number, while PPTP server uses reserved TCP port number 1723.

PPTP is the fastest protocol among VPN protocols, which is mainly used in streaming media and games. This paper mainly analyzes the messages of the client and server, and analyzes the contents of data packets in detail. The message is parsed and coded.

ThinkMo CCNA Dump exam information exchange group:

CCNA/CCNP/CCIE telegram study group:https://t.me/ccie_ei_lab
WAHTAPP:+65 83444290
WAHTAPP:+63 9750724648

ThinkMo CCNA 200-301 Tutorial VIP Exclusive:

The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!

Post Tags :

Leave a Reply