Re: decode MPLS-contained packets?

[Francois-Xavier Le Bail via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Francois-Xavier Le Bail <devel.fx.lebail () orange fr>
>
> Date: Tue, 5 May 2020 20:47:04 +0200
>
> On 05/05/2020 20:37, Gert Doering wrote:
> > Hi,
> >
> > On Tue, May 05, 2020 at 07:28:28PM +0200, Francois-Xavier Le Bail wrote:
> > > On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > > > In my case, there is an MPLS control word before the ethernet header
> > > > ("0000 0000"), and if I skip that and just clear "ethernet in here", I
> > > > get nicely printed packets...
> > >
> > > It seems it is like:
> > > https://tools.ietf.org/html/rfc4448#section-4.6
> > >
> > > Can you confirm?
> >
> > This very much looks like it, indeed.
> >
> > So, given that the first 16 bits are "4 bit always 0, and 12 bits
> > reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> > are following the MPLS headers, it's a control word, so we skip 4 bytes
> > and the rest is a regular Ethernet packet" should work.
>
> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last 2 octets of the 4.
> Like:
> PW Ethernet Control Word, Sequence Number xxx
>
> [...]
> 18:31:01.221109 00:22:55:93:74:80 > a8:0c:0d:56:50:3b, ethertype MPLS unicast (0x8847), length 140:
> MPLS (label 24002, exp 0, [S], ttl 253)
> PW Ethernet Control Word, Sequence Number 0
> 00:c1:64:65:92:0f > 3c:fd:fe:bd:78:35, ethertype IPv4 (0x0800)
> [...]
>
> -- 
> Francois-Xavier
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers