--- Begin Message ---
On 07/05/2020 09:39, Francois-Xavier Le Bail via tcpdump-workers wrote:
>> In this *particular* case, that test is done only if the uppermost nibble of
>> the uppermost octet is 0, so that would only be the case for the source
>> address, which is less likely to be a group
--- Begin Message ---
Hi,
On Thu, May 07, 2020 at 01:05:19AM -0700, Guy Harris wrote:
> A mechanism where you could do something such as "-T tcp:1073:{protocol}"
> to force traffic to TCP port 1073 to be dissected as the specified
> protocol might be useful; in this case, we'd do something such
--- Begin Message ---
On May 5, 2020, at 1:01 PM, Francois-Xavier Le Bail via tcpdump-workers
wrote:
> Wireshark MPLS heuristic is not perfect and has been criticized but is still
> there :-) hopefully
> correctly parsing your data as well.
*No* heuristic will be perfect here.
> For tcpdump
--- Begin Message ---
Hi,
On Thu, May 07, 2020 at 03:39:07AM -0400, Francois-Xavier Le Bail via
tcpdump-workers wrote:
> What if the first nibble is <> de 4, 6, 1, 0, e.g. 'f' like the first f of
> ff:ff:ff:ff:ff:ff ?
This is, as far as I understand, the primary reason why control word
was
--- Begin Message ---
On 07/05/2020 09:17, Guy Harris wrote:
>> On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
>>
>>> "Looks like a valid Ethernet address" is defined as "the first three octets
>>> appear in Wireshark's file giving manufacturer names for OUIs".
>> What if the
--- Begin Message ---
On 07/05/2020 09:13, Gert Doering wrote:
> Due to missing {}, the "p += 4" will always be executed, skipping the
> control word twice if "-v" is set.
Yes, already corrected, not the good patch ...
--
Francois-Xavier
--- End Message ---
--- Begin Message ---
On May 7, 2020, at 12:04 AM, Francois-Xavier Le Bail via tcpdump-workers
wrote:
> On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
>
>> "Looks like a valid Ethernet address" is defined as "the first three octets
>> appear in Wireshark's file giving manufacturer
--- Begin Message ---
Hi,
On Wed, May 06, 2020 at 11:54:55PM -0700, Guy Harris wrote:
> OK, so what *shark's MPLS dissector does is:
[..]
> "Looks like a valid Ethernet address" is defined as "the first three octets
> appear in Wireshark's file giving manufacturer names for OUIs". Tcpdump
>
--- Begin Message ---
Hi,
On Thu, May 07, 2020 at 08:20:40AM +0200, Francois-Xavier Le Bail wrote:
> Proposed patch attached.
>
> With new '-T mplsethnocw' option to force 'Ethernet without Control Word'
> decode.
> (from Francesco Fondelli comment)
There's one bug here:
> +
--- Begin Message ---
On May 5, 2020, at 11:36 AM, Gert Doering via tcpdump-workers
wrote:
> So, given that the first 16 bits are "4 bit always 0, and 12 bits
> reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> are following the MPLS headers, it's a control word, so we
--- Begin Message ---
On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
> "Looks like a valid Ethernet address" is defined as "the first three octets
> appear in Wireshark's file giving manufacturer names for OUIs".
What if the destination address is ff:ff:ff:ff:ff:ff (broadcast) for
--- Begin Message ---
On May 5, 2020, at 3:15 AM, Gert Doering via tcpdump-workers
wrote:
> tcpdump's print-mpls.c already does "if I know what upper-layer protocol
> is in here, I call the appropriate printer". But there is no well-defined
> type field, so it fails for my packets, and and
--- Begin Message ---
On 05/05/2020 21:44, Gert Doering wrote:
> Hi,
>
> On Tue, May 05, 2020 at 08:47:04PM +0200, Francois-Xavier Le Bail wrote:
>>> So, given that the first 16 bits are "4 bit always 0, and 12 bits
>>> reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
>>>
13 matches
Mail list logo