Wireshark mailing list archives
Re: Ethernet header below MPLS...
From: Francesco Fondelli <francesco.fondelli () gmail com>
Date: Fri, 16 Sep 2016 14:32:26 +0200
If the Ethernet PW is without the CW (Control Word) - as it seems from your ASCII art - the "magic" might be happened in dissect_pw_eth_heuristic() around line 134 of packet-pw-eth.c. To get the big picture (line 462 of packet-mpls.c + line 134 of packet-pw-eth.c): - is there any user specific label binding for this label (via decode as)? yes use it, else - use the 1st nibble logic (see BCP 4928, RFC 4385 and 5586): 4 => IPv4, 6 => IPv6, 1 => PW Associated Channel (i.e. OAM stuff like S-BFD, BFD, LM, CC, CV...) - if the first nibble is 0 well... wiiild guessss... we try with a bit of "magic" (at line 134 of packet-pw-eth.c) - if the first 6+6 bytes look like (by checking manufacture OUI database) a pair of Ethernet addresses we go with Ethernet PW *without* CW (it seems your case) - else hmmm wait... the first nibble was 0 so it might have been the case of Ethernet PW with a 'Generic PW MPLS Control Word' as per RFC 4385 (uncommon) Isn't Wireshark great? :-) ciao fra On Fri, Sep 16, 2016 at 1:13 AM, barcaroller <barcaroller () gmail com> wrote:
I have a pcap file where, in each packet, the header hierarchy is as follows: ETH IP GRE MPLS ETH <--- ? VLAN IP TCP/UDP I would not expect to see an Ethernet header right below an MPLS header. And yet wireshark was able to properly identify/parse the headers, even though there's no indication in the MPLS header that the following header is Ethernet. How did wireshark do that? ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Ethernet header below MPLS... barcaroller (Sep 15)
- Re: Ethernet header below MPLS... Guy Harris (Sep 15)
- Re: Ethernet header below MPLS... Roland Knall (Sep 16)
- Re: Ethernet header below MPLS... barcaroller (Sep 23)
- Re: Ethernet header below MPLS... Francesco Fondelli (Sep 16)
- Re: Ethernet header below MPLS... barcaroller (Sep 23)
- Re: Ethernet header below MPLS... Guy Harris (Sep 15)