I have some traces containing MPLS frames which carry Ethernet trames, in fact PPPoE in PW without Control Word. With "old" 1.x Wireshark release there was an option where it was possible to specific the default mode for MPLS PW (no control work in my case). This option is no longer present in the 2.x release. I could specify behaviour per MPLS LSP with Decode as menu, but this is cumbersome because there are many different LSP in my trace (more than 1000) and this has to be done for each LSP. asked 01 Feb '16, 06:33 thoudoin showing 5 of 14 show 9 more comments |
2 Answers:
There is a bug where the MPLS behavior was discussed here: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11949 answered 02 Feb '16, 15:14 Jasper ♦♦ edited 02 Feb '16, 15:15 |
The 2.x equivalent of the preference in 1.x is to disable the "Ethernet PW (with CW)" dissector in Analyze -> Enabled Protocols. answered 04 Feb '16, 11:25 Guy Harris ♦♦ Thanks a lot for this answer. This work well ! (04 Feb '16, 11:38) thoudoin Your "answer" has been converted to a comment as that's how this site works. If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information. (04 Feb '16, 11:46) grahamb ♦ hi Guy, After Ethernet PW (with CW) is disabled, the mpls payload is not parsed. Is there any way parse the payload as ethernet without PW? Thanks (04 Feb '16, 12:06) yacare @yacare I converted your comment to a separate question, as it's a separate problem, and the answer for thoudoin's problem is irrelevant to your problem. (04 Feb '16, 12:12) Guy Harris ♦♦ Here are the screen captures.
(04 Feb '16, 12:18) yacare I converted your comment to a separate question. I will not answer any of your comments that are attached to this question; if you want my help, you will have to comment on that question. (04 Feb '16, 12:26) Guy Harris ♦♦ The question you converted is not really the same as mine. I just create a new one at below. (04 Feb '16, 19:11) yacare showing 5 of 7 show 2 more comments |
Could you share us a tracefile?
Yes no problem. How could I send this trace file ?
You can share a capture in a publicly accessible spot, e.g. Google Drive, DropBox etc, edit your question with a link to the file.
Looks like an MPLS shim after the UDP header, with no control word, and then another Ethernet header plus payload.
Here is a trace file : https://drive.google.com/open?id=0BwURomrmoW7VaFJ3d1JiQzlBVWc
The trace only contains PPP LCP or IPCP packets from many MPLS LSP as stated in my first comment.
That link shows me a login screen, but I have no Google account and have no intention of ever having one. What's the way to download it without a Google account?
I have just followed the first recommendation to share the trace on a public site like google drive. Please tell me what is acceptable from your point of view. I have no Microsoft account and doesn't want to create one...
Try https://www.cloudshark.org, it's usually the easiest way and doesn't need a login. Just upload and post the URL.
Or file a bug on the Wireshark Bugzilla and attach the capture.
Or, if Google Drive allows a file to be made generally publicly available, do so.
The sharing options for the file should be adjusted so that it's "anyone with the link" or "Public on the Web". See this bit of Google help.
Here is the link on CloudShark https://www.cloudshark.org/captures/b3ad42cb58cd
Hope it will be accessible now.
I've made yacare's issue into a separate question; could you add your comment to that question?
Hi Guy,
The pcap I post is a MPLS over UDP packet. Use following lua script to decode the UDP payload.
-- declare vrouter agent protocol mplsoudp_proto = Proto("mplsoudp","Mpls over UDP")
local dis_mpls = Dissector.get("mpls")
-- create a function to dissect it function mplsoudp_proto.dissector(buffer,pinfo,tree) dis_mpls:call(buffer,pinfo,tree) end
udp_table = DissectorTable.get("udp.port") udp_table:add(51234,mplsoudp_proto) udp_table:add(6635,mplsoudp_proto)
As I said, I've made your issue into a separate question. Please add your comments to that question.