in wireshark version 1.x the following script works without problems: how should we modify the call to
asked 05 Jan '17, 02:13  x42 |
2 Answers:
I think you have to try your luck with answered 05 Jan '17, 09:52  Jaap ♦ showing 5 of 9 show 4 more comments |
thanks to michael mann and anders broman the missing mpls-dissectors ( answered 08 Jan '17, 06:26 x42 edited 08 Jan '17, 09:19 |
pw_eth_heuristicdoes not help us in our case, sorry ...the reason why we are forced to write own lua-scripts to begin with is that the heuristic for mpls is probably limited to the case of ipv4 frames and does not recognize all our embedded ipv6-frames correctly.
so currently we would be limited to use wireshark 1.x together with lua-scripts that explicitely use the
pw_eth_cwandpw_eth_nocwdissectors ?otherwise we would humbly ask you - the wireshark-gurus - to extend the heuristic to include cases where the mpls payload consists of ipv6-frames ...
x42, Open a bug with your pcap file
thanks ... bug has been reported https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13295
It already does take IPv6 into consideration, according to BCP 4928, RFC 4385 and RFC 4448. I'll go and have a look at the sample capture to see what it does do.
you are absolutely right in this point :-)
please also note the following bug which shows another case of mpls misinterpretation: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13301
seemingly mpls heuristic is very tricky indeed ...
sometime along the way lines like
were removed from epan/dissectors/packet-pw-eth.c
any strong reasons for doing so ? maybe we could simply get them back again ?
it would seem that the reason for removing many
register_dissector()code-lines given inhttps://code.wireshark.org/review/gitweb?p=wireshark.git;a=commitdiff;h=7ca04728c35560530304e7f2266bc9f01e020267
namely:
could be arguable.
the important and regrettable side-effect thereof is that we loose the ability to use these dissectors in user-defined lua-scripts and implement or experiment with different mpls-heuristics ?
i would therefore suggest, that all mpls-related
register_dissector()calls should be inserted back into the source code again ...Can't look ut up at the moment but do we have a function find protocol by filter name? Or somthing similar.
please also consider the following argument as to why the mpls-dissectors like e.g. "
pw_eth_cw" or "pw_eth_nocw" etc. ought to be available and callable from lua:the reason why mpls-heuristics in wireshark (or other sniffers) has fundamental problems decoding the mpls-payload correctly, come from the simple fact that - as you probably all know very well - the mpls-header does not caontain any "type-field" which would define what kind of "protocol-over-mpls" will follow in the payload.
"protocol" might be "ethernet" (pw with or without cw) but also "ipv4" or "ipv6" or maybe even something completely different like e.g. "fabricpath" ;-)
wireshark could attempt to analyze different length-fields, checksums or god knows which other parameters and fields from all potential "protocols" in order to perform a successful identification.
when, however, some of these length-fields, checksums etc are corrupt or errornous, then the poor heuristic would have no earthly possibility to determine which "protocol" is being transported over mpls ...
so probably the only practical solution to be able to perform a successful dissection of a "protocol" in the presence of corrupt and/or errournous protocol-fields would be to have the knowledge of the "protocol" beforehand - for instance throgh the gui-function 'decode as ...' or through a lua-script.
in cases, where the number of mpls-labels is large, it is surely more user-friendly to use a lua-script (or possibly other global mpls dissection-settings) instead of manually define a large number of 'decode as ...' rules.
this is the reason, why it might be a good idea to be able to access all different dissectors via lua in addition of having a strong heuristic ...