Wireshark mailing list archives
Capture Filter for MPLS GRE Encapsulated Packets
From: J P <jrp999 () gmail com>
Date: Tue, 22 Mar 2011 14:47:39 -0600
Hi Everyone, I am trying to do a capture filter for the packet below for port 67 and 68 highlight below in *RED*. I have tried: vlan and mpls and mpls and port 67 - Capture Filter saved correctly but not DHCP traffic captured mpls and mpls and vlan and port 67 - error when saving capture filter - no vlan match after mpls vlan and ether and IP and mpls and mpls and port 67 - error when saving capture filter - link layer applied in wrong context vlan and IP and mpls and mpls and port 67 - error when saving capture filter - Invalid Syntax Now I am thinking of doing an absolute offset: ether[80:2] == 0x0043 or ether[80:2] == 0x0044 - Capture Filter saved correctly and captured the required traffic Do you know of a more elegant way of doing this capture that would be more repeatable with different levels of encapsulation? Any suggestions would be appreciated. Thanx, John =============================================================================================== No. Time Source Destination Protocol Info TCP SEQ TCP ACK 2058 07:40:35.308901 x.x.x.x y.y.y.y DHCP DHCP Release - Transaction ID 0x8161892 * Frame 2058 (397 bytes on wire, 397 bytes captured) * Arrival Time: Mar 22, 2011 07:40:35.308901000 [Time delta from previous captured frame: 0.119089000 seconds] [Time delta from previous displayed frame: 1118.799111000 seconds] [Time since reference or first frame: 2331.849159000 seconds] Frame Number: 2058 Frame Length: 397 bytes Capture Length: 397 bytes [Frame is marked: False] [Protocols in frame: eth:ip:gre:mpls:eth:vlan:ip:udp:bootp] [Coloring Rule Name: UDP] [Coloring Rule String: udp] * Ethernet II, Src: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5), Dst: 02:00:00:00:00:01 (02:00:00:00:00:01) * Destination: 02:00:00:00:00:01 (02:00:00:00:00:01) Address: 02:00:00:00:00:01 (02:00:00:00:00:01) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) Source: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5) Address: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) * Internet Protocol, Src: a.a.a.a (a.a.a.a), Dst: b.b.b.b (b.b.b.b) * Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 383 Identification: 0x6483 (25731) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 254 Protocol: GRE (0x2f) Header checksum: 0xcb6b [correct] [Good: True] [Bad : False] Source: a.a.a.a (a.a.a.a) Destination: b.b.b.b (b.b.b.b) * Generic Routing Encapsulation (MPLS label switched packet) * Flags and version: 0000 0... .... .... .... = No checksum .0.. .... .... .... = No routing ..0. .... .... .... = No key ...0 .... .... .... = No sequence number .... 0... .... .... = No strict source route .... .000 .... .... = Recursion control: 0 .... .... 0000 0... = Flags: 0 .... .... .... .000 = Version: 0 Protocol Type: MPLS label switched packet (0x8847) * MultiProtocol Label Switching Header, Label: 400, Exp: 0, S: 1, TTL: 255 * MPLS Label: 400 MPLS Experimental Bits: 0 MPLS Bottom Of Label Stack: 1 MPLS TTL: 255 * Ethernet II, Src: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) * Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) Source: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0) Address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: 802.1Q Virtual LAN (0x8100) * 802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1324 * 000. .... .... .... = Priority: 0 ...0 .... .... .... = CFI: 0 .... 0101 0010 1100 = ID: 1324 Type: IP (0x0800) * Internet Protocol, Src: x.x.x.x(z.z.z.z), Dst: y.y.y.y (y.y.y.y) * Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 337 Identification: 0x9ac4 (39620) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x69c5 [correct] [Good: True] [Bad : False] Source: x.x.x.x(z.z.z.z) Destination: y.y.y.y (y.y.y.y) * User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67) * Source port: 68 (68) Destination port: 67 (67) Length: 317 Checksum: 0xae1b [correct] [Good Checksum: True] [Bad Checksum: False] Bootstrap Protocol Message type: Boot Request (1) Hardware type: Ethernet Hardware address length: 6 Hops: 0 Transaction ID: 0x08161892 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) 0... .... .... .... = Broadcast flag: Unicast .000 0000 0000 0000 = Reserved flags: 0x0000 Client IP address: x.x.x.x(z.z.z.z) Your (client) IP address: 0.0.0.0 (0.0.0.0) Next server IP address: 0.0.0.0 (0.0.0.0) Relay agent IP address: 0.0.0.0 (0.0.0.0) Client MAC address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0) Server host name not given Boot file name not given Magic cookie: (OK) Option: (t=53,l=1) DHCP Message Type = DHCP Release Option: (53) DHCP Message Type Length: 1 Value: 07 Option: (t=61,l=7) Client identifier Option: (61) Client identifier Length: 7 Value: 010019E4DAF9D0 Hardware type: Ethernet Client MAC address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0) Option: (t=56,l=14) Message = "clean shutdown" Option: (56) Message Length: 14 Value: 636C65616E2073687574646F776E Option: (t=54,l=4) Server Identifier = y.y.y.y Option: (54) Server Identifier Length: 4 Value: 8EA5D2E3 Option: (t=82,l=32) Agent Information Option Option: (82) Agent Information Option Length: 32 Value: 011E5245474E534B30314C33302061746D20312F312F3033... Agent Circuit ID: 5245474E534B30314C33302061746D20312F312F30332F32... End Option
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Capture Filter for MPLS GRE Encapsulated Packets J P (Mar 22)