Guys, I am trying to use TShark to capture ip packets with 172.16.1.1/2 or 172.16.2.1/2 and mpls packets with 2 layer label (23,25) or 1 layer label 19 at the same time with below command but failed tshark -i eth1 -w test2.cap '(net 172.16.2.0/30 or 172.16.1.0/30) or (mpls and mpls 19) or (mpls 23 and mpls 25)' it seems like only the first "mpls and mpls 19" filter will work....do any of you guys can tell if we can capture 2 layer label (23,25) and 1 layer label 19 at the same time please? asked 13 Dec '10, 19:08 alexzhao edited 13 Dec '10, 19:09 |
One Answer:
First of all, capture filters use BPF filters and BPF is based on a tiny state machine with a few machine instructions. You can show the code that will be used by a capture filter by using dumpcap -d or tcpdump -d. Whenever a keyword is used in a capture filter that denotes an encapsulation (vlan, mpls, ppp, etc), the offset into the packet is increased by the size of the encapsulation header. So in your case, each mpls keyword increases the offset with 4 bytes. This results in BPF code that looks at the wrong place for your mpls labels. As can be seen in the following output (restricted to the first part of your filter):
The first mpls label starts at offset 14 and the second at offset 18. However, the generated code first looks at the "bottom of stack" bit of the first mpls header and then checks the actual label in the second mpls header. So using mpls keywords multiple times in a filter will not help you. The only way to get the result you want is to manually look at the proper locations for your mpls labels. You can change your filter (only the mpls part) to:
(I have split the command for readability, it should be on one line though) This filter first checks for the mpls ethertype. Then it checks the first mpls header to see whether label 19 is present and that it is the last label in the stack. If not, it checks whether label 23 is present and that label 23 is not the last label. In case of the latter, it then checks the second mpls header to see whether it has label 25 and that is now is the last label in the stack. I don't have a MPLS trace with multiple labels to experiment with, but looking at the generated BPF code, I think it should work :-) answered 14 Dec '10, 01:02 SYN-bit ♦♦ |
Thanks, it perfectly resolved my question and give me a new way to capture packets with T-shark filter.
I converted your answer to a comment, please have a look at :
http://ask.wireshark.org/questions/292/example-of-how-to-use-askwiresharkorg-and-how-not-to
to know why :-)