3 files changed, 16 insertions, 3 deletions

diff --git a/example/reader_util.c b/example/reader_util.c
index 3853aa919..c212597ac 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1637,9 +1637,14 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
     /* Cisco PPP - 9 or 104 */
   case DLT_C_HDLC:
   case DLT_PPP:
-    chdlc = (struct ndpi_chdlc *) &packet[eth_offset];
-    ip_offset = sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */
-    type = ntohs(chdlc->proto_code);
+    if(packet[0] == 0x0f || packet[0] == 0x8f) {
+      chdlc = (struct ndpi_chdlc *) &packet[eth_offset];
+      ip_offset = sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */
+      type = ntohs(chdlc->proto_code);
+    } else {
+      ip_offset = 2;
+      type = ntohs(*((u_int16_t*)&packet[eth_offset]));
+    }
     break;
 
     /* IEEE 802.3 Ethernet - 1 */
diff --git a/tests/pcap/dlt_ppp.pcap b/tests/pcap/dlt_ppp.pcap
new file mode 100644
index 000000000..feef559d0
--- /dev/null
+++ b/tests/pcap/dlt_ppp.pcap
diff --git a/tests/result/dlt_ppp.pcap.out b/tests/result/dlt_ppp.pcap.out
new file mode 100644
index 000000000..fe4e41782
--- /dev/null
+++ b/tests/result/dlt_ppp.pcap.out
@@ -0,0 +1,8 @@
+QUIC	1	1230	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 193.167.0.252            	 1      
+
+
+	1	UDP 193.167.0.252:44083 -> 193.167.100.100:443 [proto: 188/QUIC][cat: Web/5][1 pkts/1230 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][ALPN: hq-29][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][TLSv1.3][Client: server4][JA3C: fe94e313a5d76fb687c85443cdfa8170][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]