Re: Sniffing LACP traffic with wireshark

[Guy Harris <guy () alum mit edu>]

On May 30, 2014, at 8:52 AM, Kevin Wilson <wkevils () gmail com> wrote:

> I have wireshark-1.10.7-1.
> when I sniff LACP (Link Aggregation Control Protocol) traffic, I see "LACP"
> in the prtocol column, and the ethertype is 0x8809 (Slow Protocols (IEEE 802.3))

That's the Ethertype for a collection of protocols, not just for LACP.

> However, I need to sniff LACP traffic also from the command line with tshark
> (on Linux).
>
> I see:
> tshark -d 0x8809 -i em1
> I get this error:
> tshark: Parameter "0x8809" doesn't follow the template
> "<layer_type>==<selector>,<decode_as_protocol>"
> tshark: Unknown layer type -- 0x8809

The syntax for the "-d" argument doesn't just take an Ethernet type; it takes a "layer type", which would be 
"ethertype", a value for the "layer type", and a protocol.  It's the command-line equivalent of "Decode As..." in the 
GUI; if you don't need to use "Decode As..." in the GUI, you don't need to use "-d" in TShark.

> And when running "tshark -d", which displays the list of all protocols,
> I don't see the LACP protocol.

Perhaps confusingly, not all values in the "Protocol" column correspond to "protocols" registered within Wireshark's 
dissector engine.  In this particular case, all of the "slow protocols", with Ethernet type 0x8809, are registered as 
"Slow Protocols" or "802.3 Slow protocols", and the dissector for the slow protocols does an internal case statement, 
based on the subtype, to call dissectors for the individual protocol type.  The dissectors for the individual protocol 
types set the column.

So there's no "registered protocol" in Wireshark named LACP, but there is code that sets the column to "LACP".

We should probably add a dissector table for the "slow protocol" subtype, and have the dissectors for various "slow 
protocols" register in that table, so there's an LACP "registered protocol".

> It is strange that with the wireshark GUI client, 0x8009 is recognized as LACP,
> while "thsark -d" does not show the LACP.

See above.

> Please adive, how can I sniff with tshark client with filtering for 0x8009
> Ehtertype (LACP). (with -d ethertype==...)

"-d" doesn't do filtering, it does "Decode As...".  You don't need "Decode As..." or "-d" to get Wireshark/TShark to 
recognize traffic with an ethertype of 0x8809 as "slow protocol" traffic or to get "slow protocol" traffic with a 
subtype of  0 to be recognized as LACP traffic.

If you want to do capture filtering, than, as Jaap said, you use the same filter syntax as in Wireshark - "ether proto 
0x8809", although that will capture traffic for *all* slow protocols, not just LACP.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe