This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I handle ethernet payload where MPLS is in the clear and the rest of the payload is encrypted?

0

If I understand correctly, the MPLS dissector inspects the rest of the ethernet payload to determine what type it is. If it is encrypted or corrupted, it will randomly match various types which impacts my analysis.

  • I can not disable the MPLS dissector because I need to decode the MPLS header.
  • Changing the default decoder for MPLS payload is inadequate because:
  • It's more of a 'last resort decoder' as it only applies after failing to match
  • There's no 'do not decode' option

It seems like a 'do not decode MPLS payload at all' feature was over looked. So, does this sound like a feature request or have I overlooked a way of handling this?

asked 28 Jul '15, 19:00

Guy%20Gangemi's gravatar image

Guy Gangemi
6113
accept rate: 100%


One Answer:

0

Going to Preferences > Protocols > MPLS and setting Default decoder won't work for reasons outlined above.

Decode as... > Link won't work because the Ethertype is parsed from the payload which means it's effectively a random value.

Decode as... > MPLS will work because, in my case, mpls.label is a constant value.

However, the inbuilt Data dissector isn't present in the list so I added one using LAU. The LAU file is quite simple:

MPLS_DATA = Dissector.get("data")
mpls_table = DissectorTable.get("mpls.label")
mpls_table:add (4294967295, MPLS_DATA)

I followed the Wireshark guide here to enable LAU.

Now I can find Data in the Decode as... > MPLS list and selecting it results in the MPLS payload presented as generic data.

answered 29 Jul '15, 20:11

Guy%20Gangemi's gravatar image

Guy Gangemi
6113
accept rate: 100%