Re: [Wireshark-users] MPLS over UDP decoding
On Dec 28, 2018, at 2:36 PM, Yang Yu wrote: > On Fri, Dec 28, 2018 at 1:07 PM Guy Harris wrote: >> From looking at the code, the logic appears to be "is the traffic to or from >> UDP port 6635?" >> >> So *is* the traffic to or from UDP port 6635? > > indeed udp.dstport is 6635 (IANA assigned for mpls-udp), so it turned > out a host was using udp/6635 as ephemeral port to connect to a STUN > server So, for this case, follow Hugo van der Kooij's suggestion and disable the MPLS dissector. ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] MPLS over UDP decoding
On Fri, Dec 28, 2018 at 1:07 PM Guy Harris wrote: > From looking at the code, the logic appears to be "is the traffic to or from > UDP port 6635?" > > So *is* the traffic to or from UDP port 6635? indeed udp.dstport is 6635 (IANA assigned for mpls-udp), so it turned out a host was using udp/6635 as ephemeral port to connect to a STUN server https://github.com/wireshark/wireshark/blob/075785bd20cad395141481a8a9639022bb963aee/services#L4843 https://github.com/wireshark/wireshark/blob/1539e455d70c5f340ce80021c770b8f992051ec2/epan/dissectors/packet-mpls.h#L67 Thanks a lot. ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] MPLS over UDP decoding
On Dec 27, 2018, at 3:01 PM, Yang Yu wrote: > In a packet capture of sFlow export packets, I noticed some sFlow > samples were decoded as MPLS over UDP. The sFlow sampled packet was > actually just a UDP VoIP packet with no dissector support. > > What logic does Wireshark use to opportunistically consider UDP > payload to be MPLS? From looking at the code, the logic appears to be "is the traffic to or from UDP port 6635?" So *is* the traffic to or from UDP port 6635? ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
