tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: decode MPLS-contained packets?

From: Guy Harris via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 7 May 2020 03:12:26 -0400 (EDT)
--- Begin Message --- From: Guy Harris <gharris () sonic net>
Date: Thu, 7 May 2020 00:14:08 -0700
On May 5, 2020, at 11:36 AM, Gert Doering via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:


So, given that the first 16 bits are "4 bit always 0, and 12 bits
reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
are following the MPLS headers, it's a control word, so we skip 4 bytes
and the rest is a regular Ethernet packet" should work.


Wireshark looks only at the uppermost nibble, as per my earlier mail, probably to make it "future-proof" against the 
reserved bits being used later.

However, it also has the "do the upper three octets, and the three octets thee octets after that, look like OUIs" test.

(Note that 00:00:0C is Cisco, so "two 0 bytes following the MPLS headers" isn't *guaranteed* to work as a way of 
identifying control words.  Wireshark's manuf file also shows 00:00:17 as being Oracle, 00:00:0F as being NeXT so that 
may now be used by Apple if NeXT didn't use it up, and 00:00:F0 is Samsung Electronics, so there might be others in 
that range.)

--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: