--- Begin Message ---On May 5, 2020, at 3:15 AM, Gert Doering via tcpdump-workers <tcpdump-workers@lists.tcpdump.org> wrote:> tcpdump's print-mpls.c already does "if I know what upper-layer protocol > is in here, I call the appropriate printer". But there is no well-defined > type field, so it fails for my packets, and and falls back to "hexdump" > (good enough). OK, so what *shark's MPLS dissector does is: 1) see whether the label indicates the next protocol - but very few label values are registered in the dissector table for that, so that's *not* what's being used for your dissector (most dissectors just register for the "decode as" feature, so the user can say "decode this label as..."); 2) if that fails, "use the 1st nibble logic (see BCP 4928, RFC 4385 and 5586)". The "1st nibble logic" is: if the upper nibble of the first octet is 4, it's IPv4'; if the upper nibble of the first octet is 6, it's IPv6; if the upper nibble of the first octet is 1, dissect it as "PW Associated Channel Header Management Communication Network (MCN) dissection as per RFC 5718" (with a comment that "this could be from an Ethernet pseudo-wire without a control word, with the MAC address's first nibble being 1."; if the upper nibble of the first octet is 0, then "If this is an Ethernet pseudo-wire, this could either be Ethernet without a control word and with the first nibble of the destination MAC address being 0 or it could be Ethernet with a control word. Let the "pw_eth_heuristic" dissector try to figure it out.". The heuristics that dissector does are if the first 12 bytes in the payload look like two valid ethernet addresses", treat it as Ethernet with no control word; otherwise, if the first octet is 0, treat it as Ethernet *with* a control word; otherwise, treat it as Ethernet without a control word. "Looks like a valid Ethernet address" is defined as "the first three octets appear in Wireshark's file giving manufacturer names for OUIs". Tcpdump *currently* doesn't have such a file.
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
