Netflow v9 and MPLS

Question

Hello,

I'm using Wireshark to capture Netflow v9 flow exports of MPLS encapsulated packets. For packets that have multiple labels (e.g. L3VPN traffic), it seems that Wireshark is showing the bottom label (the one that has the bottom of stack bit set to 1), as "top of stack." Is this a typo in the decoder?

I uploaded a screenshot here: http://imgur.com/4pnfk6S

Thanks, Chris

Accepted Answer

Can you confirm the actual hex (undecoded) that make up the label headers? It's a bit to navigate but it looks like the function being called on each label header starts at line 1493 of file "packet-netflow.c". That function seems to be checking that bit value to see if it's set, and I think you're right (looks like the logic is to add the text "top-of-stack" if the "bottom-of-stack" bit is set).

I suggest commenting on this in Wireshark's bugzilla page at: https://bugs.wireshark.org/bugzilla/

For reference, the code there is:

proto_tree_add_mpls_label(proto_tree pdutree, tvbuff_t tvb, int offset, int length, int level)
{
    proto_item *ti;
    if( length == 3) {
        guint8 b0 = tvb_get_guint8(tvb, offset);
        guint8 b1 = tvb_get_guint8(tvb, offset + 1);
        guint8 b2 = tvb_get_guint8(tvb, offset + 2);
        ti = proto_tree_add_text(pdutree, tvb, offset, length,
                                 "MPLS-Label%d: %u exp-bits: %u %s", level,
                                 ((b0<<12)+(b1<<4)+(b2>>4)),
                                 ((b2>>1)&0x7),
                                 ((b2&0x1)?"top-of-stack":""));
    } else {
        ti = proto_tree_add_text(pdutree, tvb, offset, length,
                                 "MPLS-Label%d: bad length %d", level, length);
    }
    return ti;
}