This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

packet content difference in different versions

0

Hi ALL

I have captured packets (MPLS) with wire-shark and i am analyzing them. what i really do not understand: I opened the same file with 2 versions of Wireshark: the newest version does not showing me the details of the intern L2 packets (like VLAN/MAC addresses) but only mention "PW control word"

alt text

the old version (1.0.5) shows me exactly those parameter i miss in the new version (VLAN, PRI,MAC...)

can someone explains me why there is a different and how can i set the new version to see these parameters ?

attached here picture of both version opened with the same file/same packet.

Thanks Eyal

asked 29 Aug '16, 23:31

eyalp's gravatar image

eyalp
6226
accept rate: 0%

edited 30 Aug '16, 02:59

Jaap's gravatar image

Jaap ♦
11.7k16101


One Answer:

1

It looks like the new version is actually telling the truth; when looking at the inner Ethernet MAC addresses they look correct in the new version and bogus in the old one. But lacking the actual capture file makes the determination difficult. If you can share the capture file (through CloudShark for instance) a more detailed analysis can be made.

answered 30 Aug '16, 03:03

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

HI Thanks for the answer. i assume that the new version supposed to present it more correctly, but still the important details are missing. I am generating these packets by using Ethernet test equipment, and I still do not understand why the new version present the PW control word but not the other L2 parameters (which exists in the packet).

I also do not understand from where the new version present the SA and the DA ? these are not coming from my systems. How can i attach the original file here ? i can see only posibility for picture. Best Regards Eyal``

(30 Aug '16, 03:38) eyalp

There's no file sharing option here, so you have to use other means. The cloudshark.org site has a cloud based pcap viewer where you can upload your capture file to, for viewing and download. Then further analysis can be made.

(30 Aug '16, 03:46) Jaap ♦

HI Thanks, i added the file to the cloudshark: https://www.cloudshark.org/captures/4d160d42aab0 the strange thing is, that if i look at the file i shared on the cloudshark (on-line view), i can see it perfect as it should be. There is the PW control word, but also the L2 parameters... real strange!

Thanks

(30 Aug '16, 21:53) eyalp

I'm afraid it is the "PW with or without CW, or no PW at all" heuristic which fails in the new version, possibly on your home-brewed MAC addresses with so many leading 00 bytes. To let your frames be dissected properly, you have to use Decode as... and say that MPLS label 4099 indicates that the MPLS payload contains just an Ethernet frame without any PW. The version running at Cloudshark does show a PW line in the dissection but no data matching to it in the packet bytes pane.

(31 Aug '16, 01:06) sindy