Hi ALL I have captured packets (MPLS) with wire-shark and i am analyzing them. what i really do not understand: I opened the same file with 2 versions of Wireshark: the newest version does not showing me the details of the intern L2 packets (like VLAN/MAC addresses) but only mention "PW control word"
the old version (1.0.5) shows me exactly those parameter i miss in the new version (VLAN, PRI,MAC...) can someone explains me why there is a different and how can i set the new version to see these parameters ? attached here picture of both version opened with the same file/same packet. Thanks Eyal asked 29 Aug '16, 23:31  eyalp edited 30 Aug '16, 02:59  Jaap ♦ |
One Answer:
It looks like the new version is actually telling the truth; when looking at the inner Ethernet MAC addresses they look correct in the new version and bogus in the old one. But lacking the actual capture file makes the determination difficult. If you can share the capture file (through CloudShark for instance) a more detailed analysis can be made. answered 30 Aug '16, 03:03 Jaap ♦ |
HI Thanks for the answer. i assume that the new version supposed to present it more correctly, but still the important details are missing. I am generating these packets by using Ethernet test equipment, and I still do not understand why the new version present the PW control word but not the other L2 parameters (which exists in the packet).
I also do not understand from where the new version present the SA and the DA ? these are not coming from my systems. How can i attach the original file here ? i can see only posibility for picture. Best Regards Eyal``
There's no file sharing option here, so you have to use other means. The cloudshark.org site has a cloud based pcap viewer where you can upload your capture file to, for viewing and download. Then further analysis can be made.
HI Thanks, i added the file to the cloudshark: https://www.cloudshark.org/captures/4d160d42aab0 the strange thing is, that if i look at the file i shared on the cloudshark (on-line view), i can see it perfect as it should be. There is the PW control word, but also the L2 parameters... real strange!
Thanks
I'm afraid it is the "PW with or without CW, or no PW at all" heuristic which fails in the new version, possibly on your home-brewed MAC addresses with so many leading
00bytes. To let your frames be dissected properly, you have to useDecode as...and say that MPLS label 4099 indicates that the MPLS payload contains just an Ethernet frame without any PW. The version running at Cloudshark does show a PW line in the dissection but no data matching to it in the packet bytes pane.