Re: [Wireshark-users] MPLS over UDP decoding
On Dec 28, 2018, at 2:36 PM, Yang Yu wrote: > On Fri, Dec 28, 2018 at 1:07 PM Guy Harris wrote: >> From looking at the code, the logic appears to be "is the traffic to or from >> UDP port 6635?" >> >> So *is* the traffic to or from UDP port 6635? > > indeed udp.dstport is 6635 (IANA assigned for mpls-udp), so it turned > out a host was using udp/6635 as ephemeral port to connect to a STUN > server So, for this case, follow Hugo van der Kooij's suggestion and disable the MPLS dissector. ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] MPLS over UDP decoding
On Fri, Dec 28, 2018 at 1:07 PM Guy Harris wrote: > From looking at the code, the logic appears to be "is the traffic to or from > UDP port 6635?" > > So *is* the traffic to or from UDP port 6635? indeed udp.dstport is 6635 (IANA assigned for mpls-udp), so it turned out a host was using udp/6635 as ephemeral port to connect to a STUN server https://github.com/wireshark/wireshark/blob/075785bd20cad395141481a8a9639022bb963aee/services#L4843 https://github.com/wireshark/wireshark/blob/1539e455d70c5f340ce80021c770b8f992051ec2/epan/dissectors/packet-mpls.h#L67 Thanks a lot. ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] MPLS over UDP decoding
On Dec 27, 2018, at 3:01 PM, Yang Yu wrote: > In a packet capture of sFlow export packets, I noticed some sFlow > samples were decoded as MPLS over UDP. The sFlow sampled packet was > actually just a UDP VoIP packet with no dissector support. > > What logic does Wireshark use to opportunistically consider UDP > payload to be MPLS? From looking at the code, the logic appears to be "is the traffic to or from UDP port 6635?" So *is* the traffic to or from UDP port 6635? ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-users] MPLS over UDP decoding
I would say this is a rather impossible question. Your configuration is a relevant factor. As is the actual packet data. With neither of them available it is impossible to answer. But in general disable not relevant protocols in the profile you use. I use various profiles where I disable not relevant protocols for the tasks at hand. Met vriendelijke groet / With kind regards, Hugo van der Kooij -Original Message- From: Wireshark-users On Behalf Of Yang Yu Sent: vrijdag 28 december 2018 00:02 To: wireshark-users@wireshark.org Subject: [Wireshark-users] MPLS over UDP decoding Hi, In a packet capture of sFlow export packets, I noticed some sFlow samples were decoded as MPLS over UDP. The sFlow sampled packet was actually just a UDP VoIP packet with no dissector support. What logic does Wireshark use to opportunistically consider UDP payload to be MPLS? Thanks. Flow sample Raw Packet header * Ethernet * IP * UDP * MPLS label x 6 * https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpweth.cw=E,1,jBOKE6kiEiJmXy1qZyhzs5EpbM6-kBmI9y-EZb-Y8lfUYXxNOZi6s-V8xTdcECfjF3A1yJpRMnpExwtUrCnb8kyXp7Lgh9f-UnEq9gYfDnLEWNOjOdHjV1ta=1 * eth (data looks wrong because it is not an actual Ethernet header) * data (unable to decode) Yang ___ Sent via:Wireshark-users mailing list Archives: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.wireshark.org%2flists%2fwireshark-users=E,1,XplxBdY_nHHcLnaAEt8NPox4jTZLrQmf55QtuyCdb0n1t8WeiTrh3aMuXH6rQOkkE7-izAbtxWDucfhwjMV_kfPCacvXY133eeVHeUFFFogD=1 Unsubscribe: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.wireshark.org%2fmailman%2foptions%2fwireshark-users=E,1,fwnRbYvOnnbG85ZBcCRK6e0bSFhqdf7Ej4wx9-xZKzUmLp7_zMm_STzO-P_Vf8M0g6R9no0D0lV4truMqYHVWFny8VA9Ya4OgIxeIlHX0Uy4lqXq=1 mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe smime.p7s Description: S/MIME cryptographic signature ___ Sent via:Wireshark-users mailing list Archives:https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe