--- Begin Message ---
On May 5, 2020, at 1:01 PM, Francois-Xavier Le Bail via tcpdump-workers
<tcpdump-workers@lists.tcpdump.org> wrote:
> Wireshark MPLS heuristic is not perfect and has been criticized but is still
> there :-) hopefully
> correctly parsing your data as well.
*No* heuristic will be perfect here.
> For tcpdump maybe a -T based approach is better?
>
> -T mpls (+ 1st nibble logic for IPv4/IPv6)
> -T ethpw
> -T ethpwnocw
That's a thought, but -T should probably get a bunch of work done on it.
It's documented as
-T type
Force packets selected by "expression" to be interpreted the
specified type.
but it has nothing to do with the filter expression - that really means "force
all packets to be interpreted [as] the specified type", because "expression"
controls which packets tcpdump sees. It doesn't *entirely* work that way, but
the places where it's checked - for example, the TCP and UDP dissectors - just
do "if somebody specified a -T flag, dissect *everything* as that protocol".
A mechanism where you could do something such as "-T tcp:1073:{protocol}" to
force traffic to TCP port 1073 to be dissected as the specified protocol might
be useful; in this case, we'd do something such as "-T mpls:{protocol}" to
force *all* MPLS packets to be dissected as the specified protocol, and "-T
mpls:{label}:{protocol}", to force packets with a particular label to be
dissected as the specified protocol (which might mean you'd have to run tcpdump
twice - once to see what the label is, and once to decode the label.
That would require a mechanism similar to Wireshark's "run this script on all
dissector files to find their registration routines and call those at run time"
to build a table of the first items in the "-T" string; once we've gone there,
we might as well use it to build a table of the {protocol} values as well, and
we could then just have a mechanism similar to Wireshark's dissector table
mechanism, replacing the big switch statements (back in the very early days,
Wireshark - still called "Ethereal" at the time - used switch statements as
well; that was replaced by a dissector table mechanism) with dissector tables,
which would mean that a new "runs atop TCP" or "runs atop UDP" dissector could
just register and the switch statement wouldn't have to be changed.
We could start out by adding an explicit list of items, just as we currently
have an explicit list of {protocol} values.
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers