tcpdump mailing list archives

Re: decode MPLS-contained packets?

From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 7 May 2020 02:53:11 -0400 (EDT)

--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Wed, 6 May 2020 23:54:55 -0700

On May 5, 2020, at 3:15 AM, Gert Doering via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:

tcpdump's print-mpls.c already does "if I know what upper-layer protocol
is in here, I call the appropriate printer".  But there is no well-defined
type field, so it fails for my packets, and and falls back to "hexdump"
(good enough).


OK, so what *shark's MPLS dissector does is:

1) see whether the label indicates the next protocol - but very few label values are registered in the dissector table 
for that, so that's *not* what's being used for your dissector (most dissectors just register for the "decode as" 
feature, so the user can say "decode this label as...");

2) if that fails, "use the 1st nibble logic (see BCP 4928, RFC 4385 and 5586)".

The "1st nibble logic" is:

        if the upper nibble of the first octet is 4, it's IPv4';

        if the upper nibble of the first octet is 6, it's IPv6;

        if the upper nibble of the first octet is 1, dissect it as "PW Associated Channel Header Management 
Communication Network (MCN) dissection as per RFC 5718" (with a comment that "this could be from an Ethernet 
pseudo-wire without a control word, with the MAC address's first nibble being 1.";

        if the upper nibble of the first octet is 0, then "If this is an Ethernet pseudo-wire, this could either be 
Ethernet without a control word and with the first nibble of the destination MAC address being 0 or it could be 
Ethernet with a control word.  Let the "pw_eth_heuristic" dissector try to figure it out.".

The heuristics that dissector does are

        if the first 12 bytes in the payload look like two valid ethernet addresses", treat it as Ethernet with no 
control word;

        otherwise, if the first octet is 0, treat it as Ethernet *with* a control word;

        otherwise, treat it as Ethernet without a control word.

"Looks like a valid Ethernet address" is defined as "the first three octets appear in Wireshark's file giving 
manufacturer names for OUIs".  Tcpdump *currently* doesn't have such a file.

--- End Message ---

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

Re: decode MPLS-contained packets?, (continued)
- - - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 05)
    - Message not available
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 05)
    - Re: decode MPLS-contained packets? Guy Harris via tcpdump-workers (May 07)
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 05)
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 05)
    - Message not available
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 05)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 05)
    - Re: decode MPLS-contained packets? Guy Harris via tcpdump-workers (May 07)
    - Message not available
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 07)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 06)
  - Re: decode MPLS-contained packets? Guy Harris via tcpdump-workers (May 06)
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 07)
    - Re: decode MPLS-contained packets? Guy Harris via tcpdump-workers (May 07)
    - Message not available
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 07)
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 07)
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 07)
    - Message not available
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 08)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 07)
  - Message not available
    - Re: decode MPLS-contained packets? Gert Doering via tcpdump-workers (May 07)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: decode MPLS-contained packets? Francois-Xavier Le Bail via tcpdump-workers (May 07)