This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Netflow v9 and MPLS

0

Hello,

I'm using Wireshark to capture Netflow v9 flow exports of MPLS encapsulated packets. For packets that have multiple labels (e.g. L3VPN traffic), it seems that Wireshark is showing the bottom label (the one that has the bottom of stack bit set to 1), as "top of stack." Is this a typo in the decoder?

I uploaded a screenshot here: http://imgur.com/4pnfk6S

Thanks, Chris

asked 27 Aug '14, 10:58

mplspackets's gravatar image

mplspackets
16114
accept rate: 0%


One Answer:

1

Can you confirm the actual hex (undecoded) that make up the label headers? It's a bit to navigate but it looks like the function being called on each label header starts at line 1493 of file "packet-netflow.c". That function seems to be checking that bit value to see if it's set, and I think you're right (looks like the logic is to add the text "top-of-stack" if the "bottom-of-stack" bit is set).

I suggest commenting on this in Wireshark's bugzilla page at: https://bugs.wireshark.org/bugzilla/

For reference, the code there is:

proto_tree_add_mpls_label(proto_tree pdutree, tvbuff_t tvb, int offset, int length, int level)
{
    proto_item *ti;
    if( length == 3) {
        guint8 b0 = tvb_get_guint8(tvb, offset);
        guint8 b1 = tvb_get_guint8(tvb, offset + 1);
        guint8 b2 = tvb_get_guint8(tvb, offset + 2);
        ti = proto_tree_add_text(pdutree, tvb, offset, length,
                                 "MPLS-Label%d: %u exp-bits: %u %s", level,
                                 ((b0<<12)+(b1<<4)+(b2>>4)),
                                 ((b2>>1)&0x7),
                                 ((b2&0x1)?"top-of-stack":""));
    } else {
        ti = proto_tree_add_text(pdutree, tvb, offset, length,
                                 "MPLS-Label%d: bad length %d", level, length);
    }
    return ti;
}

answered 27 Aug '14, 17:44

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Here's the hex for each label field in the flow export: http://imgur.com/a/FaTso#0

I went ahead and filed a bug 10458. Thanks for your help!

(09 Sep '14, 06:52) mplspackets
1
(10 Sep '14, 10:07) Bill Meier ♦♦