This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have some traces containing MPLS frames which carry Ethernet trames, in fact PPPoE in PW without Control Word. With "old" 1.x Wireshark release there was an option where it was possible to specific the default mode for MPLS PW (no control work in my case). This option is no longer present in the 2.x release. I could specify behaviour per MPLS LSP with Decode as menu, but this is cumbersome because there are many different LSP in my trace (more than 1000) and this has to be done for each LSP.

asked 01 Feb '16, 06:33

thoudoin's gravatar image

thoudoin
21113
accept rate: 0%

Could you share us a tracefile?

(02 Feb '16, 12:31) Christian_R

Yes no problem. How could I send this trace file ?

(03 Feb '16, 05:54) thoudoin

You can share a capture in a publicly accessible spot, e.g. Google Drive, DropBox etc, edit your question with a link to the file.

(03 Feb '16, 07:16) grahamb ♦

Looks like an MPLS shim after the UDP header, with no control word, and then another Ethernet header plus payload.

(04 Feb '16, 00:59) Jasper ♦♦

Here is a trace file : https://drive.google.com/open?id=0BwURomrmoW7VaFJ3d1JiQzlBVWc

The trace only contains PPP LCP or IPCP packets from many MPLS LSP as stated in my first comment.

(04 Feb '16, 10:19) thoudoin

That link shows me a login screen, but I have no Google account and have no intention of ever having one. What's the way to download it without a Google account?

(04 Feb '16, 10:32) Guy Harris ♦♦

I have just followed the first recommendation to share the trace on a public site like google drive. Please tell me what is acceptable from your point of view. I have no Microsoft account and doesn't want to create one...

(04 Feb '16, 10:39) thoudoin

Try https://www.cloudshark.org, it's usually the easiest way and doesn't need a login. Just upload and post the URL.

(04 Feb '16, 10:43) Jasper ♦♦

Or file a bug on the Wireshark Bugzilla and attach the capture.

Or, if Google Drive allows a file to be made generally publicly available, do so.

(04 Feb '16, 10:47) Guy Harris ♦♦

The sharing options for the file should be adjusted so that it's "anyone with the link" or "Public on the Web". See this bit of Google help.

(04 Feb '16, 10:48) grahamb ♦

Here is the link on CloudShark https://www.cloudshark.org/captures/b3ad42cb58cd

Hope it will be accessible now.

(04 Feb '16, 10:55) thoudoin

Looks like an MPLS shim after the UDP header, with no control word, and then another Ethernet header plus payload.

I've made yacare's issue into a separate question; could you add your comment to that question?

(04 Feb '16, 12:14) Guy Harris ♦♦

Hi Guy,

The pcap I post is a MPLS over UDP packet. Use following lua script to decode the UDP payload.

-- declare vrouter agent protocol mplsoudp_proto = Proto("mplsoudp","Mpls over UDP")

local dis_mpls = Dissector.get("mpls")

-- create a function to dissect it function mplsoudp_proto.dissector(buffer,pinfo,tree) dis_mpls:call(buffer,pinfo,tree) end

udp_table = DissectorTable.get("udp.port") udp_table:add(51234,mplsoudp_proto) udp_table:add(6635,mplsoudp_proto)

(04 Feb '16, 12:14) yacare

As I said, I've made your issue into a separate question. Please add your comments to that question.

(04 Feb '16, 12:17) Guy Harris ♦♦
showing 5 of 14 show 9 more comments

There is a bug where the MPLS behavior was discussed here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11949

permanent link

answered 02 Feb '16, 15:14

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 02 Feb '16, 15:15

The 2.x equivalent of the preference in 1.x is to disable the "Ethernet PW (with CW)" dissector in Analyze -> Enabled Protocols.

permanent link

answered 04 Feb '16, 11:25

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks a lot for this answer. This work well !

(04 Feb '16, 11:38) thoudoin

Your "answer" has been converted to a comment as that's how this site works.

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(04 Feb '16, 11:46) grahamb ♦

hi Guy,

After Ethernet PW (with CW) is disabled, the mpls payload is not parsed. Is there any way parse the payload as ethernet without PW?

Thanks

(04 Feb '16, 12:06) yacare

@yacare I converted your comment to a separate question, as it's a separate problem, and the answer for thoudoin's problem is irrelevant to your problem.

(04 Feb '16, 12:12) Guy Harris ♦♦

I converted your comment to a separate question. I will not answer any of your comments that are attached to this question; if you want my help, you will have to comment on that question.

(04 Feb '16, 12:26) Guy Harris ♦♦

The question you converted is not really the same as mine. I just create a new one at below.

https://ask.wireshark.org/questions/49875/how-to-make-wireshark-parse-ethernet-frame-over-mpls-as-no-cw

(04 Feb '16, 19:11) yacare
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×25

question asked: 01 Feb '16, 06:33

question was seen: 3,227 times

last updated: 04 Feb '16, 19:11

p​o​w​e​r​e​d by O​S​Q​A