--- Begin Message ---
On 07/05/2020 15:39, Francois-Xavier Le Bail wrote:
> On 07/05/2020 09:39, Francois-Xavier Le Bail via tcpdump-workers wrote:
>>> In this *particular* case, that test is done only if the uppermost nibble
>>> of the uppermost octet is 0, so that would only be the case for the
--- Begin Message ---
On 07/05/2020 09:39, Francois-Xavier Le Bail via tcpdump-workers wrote:
>> In this *particular* case, that test is done only if the uppermost nibble of
>> the uppermost octet is 0, so that would only be the case for the source
>> address, which is less likely to be a group
--- Begin Message ---
Hi,
On Thu, May 07, 2020 at 01:05:19AM -0700, Guy Harris wrote:
> A mechanism where you could do something such as "-T tcp:1073:{protocol}"
> to force traffic to TCP port 1073 to be dissected as the specified
> protocol might be useful; in this case, we'd do something such
--- Begin Message ---
On May 5, 2020, at 1:01 PM, Francois-Xavier Le Bail via tcpdump-workers
wrote:
> Wireshark MPLS heuristic is not perfect and has been criticized but is still
> there :-) hopefully
> correctly parsing your data as well.
*No* heuristic will be perfect here.
> For tcpdump
--- Begin Message ---
Hi,
On Thu, May 07, 2020 at 03:39:07AM -0400, Francois-Xavier Le Bail via
tcpdump-workers wrote:
> What if the first nibble is <> de 4, 6, 1, 0, e.g. 'f' like the first f of
> ff:ff:ff:ff:ff:ff ?
This is, as far as I understand, the primary reason why control word
was
--- Begin Message ---
On 07/05/2020 09:17, Guy Harris wrote:
>> On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
>>
>>> "Looks like a valid Ethernet address" is defined as "the first three octets
>>> appear in Wireshark's file giving manufacturer names for OUIs".
>> What if the
--- Begin Message ---
On 07/05/2020 09:13, Gert Doering wrote:
> Due to missing {}, the "p += 4" will always be executed, skipping the
> control word twice if "-v" is set.
Yes, already corrected, not the good patch ...
--
Francois-Xavier
--- End Message ---
--- Begin Message ---
On May 7, 2020, at 12:04 AM, Francois-Xavier Le Bail via tcpdump-workers
wrote:
> On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
>
>> "Looks like a valid Ethernet address" is defined as "the first three octets
>> appear in Wireshark's file giving manufacturer
--- Begin Message ---
Hi,
On Wed, May 06, 2020 at 11:54:55PM -0700, Guy Harris wrote:
> OK, so what *shark's MPLS dissector does is:
[..]
> "Looks like a valid Ethernet address" is defined as "the first three octets
> appear in Wireshark's file giving manufacturer names for OUIs". Tcpdump
>
--- Begin Message ---
Hi,
On Thu, May 07, 2020 at 08:20:40AM +0200, Francois-Xavier Le Bail wrote:
> Proposed patch attached.
>
> With new '-T mplsethnocw' option to force 'Ethernet without Control Word'
> decode.
> (from Francesco Fondelli comment)
There's one bug here:
> +
--- Begin Message ---
On May 5, 2020, at 11:36 AM, Gert Doering via tcpdump-workers
wrote:
> So, given that the first 16 bits are "4 bit always 0, and 12 bits
> reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> are following the MPLS headers, it's a control word, so we
--- Begin Message ---
On 07/05/2020 08:53, Guy Harris via tcpdump-workers wrote:
> "Looks like a valid Ethernet address" is defined as "the first three octets
> appear in Wireshark's file giving manufacturer names for OUIs".
What if the destination address is ff:ff:ff:ff:ff:ff (broadcast) for
--- Begin Message ---
On May 5, 2020, at 3:15 AM, Gert Doering via tcpdump-workers
wrote:
> tcpdump's print-mpls.c already does "if I know what upper-layer protocol
> is in here, I call the appropriate printer". But there is no well-defined
> type field, so it fails for my packets, and and
--- Begin Message ---
On 05/05/2020 21:44, Gert Doering wrote:
> Hi,
>
> On Tue, May 05, 2020 at 08:47:04PM +0200, Francois-Xavier Le Bail wrote:
>>> So, given that the first 16 bits are "4 bit always 0, and 12 bits
>>> reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
>>>
--- Begin Message ---
On 05/05/2020 21:44, Gert Doering wrote:
>> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last
>> 2 octets of the 4.
>> Like:
>> PW Ethernet Control Word, Sequence Number xxx
> I think we should only print this if "-v" is given. Most of the time,
--- Begin Message ---
Hi,
On Tue, May 05, 2020 at 08:47:04PM +0200, Francois-Xavier Le Bail wrote:
> > So, given that the first 16 bits are "4 bit always 0, and 12 bits
> > reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> > are following the MPLS headers, it's a control
--- Begin Message ---
On 05/05/2020 20:45, Francois-Xavier Le Bail via tcpdump-workers wrote:
> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last
> 2 octets of the 4.
> Like:
> PW Ethernet Control Word, Sequence Number xxx
Attached patch based on yours.
--
--- Begin Message ---
On 05/05/2020 20:37, Gert Doering wrote:
> Hi,
>
> On Tue, May 05, 2020 at 07:28:28PM +0200, Francois-Xavier Le Bail wrote:
>> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
>>> In my case, there is an MPLS control word before the ethernet header
>>> ("
--- Begin Message ---
Hi,
On Tue, May 05, 2020 at 07:28:28PM +0200, Francois-Xavier Le Bail wrote:
> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > In my case, there is an MPLS control word before the ethernet header
> > (" "), and if I skip that and just clear "ethernet
--- Begin Message ---
Hi,
On Tue, May 05, 2020 at 07:24:37PM +0200, Francois-Xavier Le Bail wrote:
> Ok, it had DOS line ending format ...
Not when I sent it, but who knows which mailer mangled it in surprising
and fascinating ways on the path...
gert
--
"If was one thing all people took for
--- Begin Message ---
On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> In my case, there is an MPLS control word before the ethernet header
> (" "), and if I skip that and just clear "ethernet in here", I
> get nicely printed packets...
It seems it is like:
--- Begin Message ---
On 05/05/2020 19:17, Gert Doering wrote:
> Hi,
>
> On Tue, May 05, 2020 at 06:45:27PM +0200, Francois-Xavier Le Bail wrote:
>>> Attached as well. Not very smart yet, just does "what I need".
>>
>> Thanks,
>>
>> Patch for which tcpdump version?
>
> github checkout, it
--- Begin Message ---
Hi,
On Tue, May 05, 2020 at 06:45:27PM +0200, Francois-Xavier Le Bail wrote:
> > Attached as well. Not very smart yet, just does "what I need".
>
> Thanks,
>
> Patch for which tcpdump version?
github checkout, it identifies itself as
tcpdump version 4.10.0-PRE-GIT
(git
--- Begin Message ---
On 05/05/2020 18:34, Gert Doering wrote:
> Hi,
>
> On Tue, May 05, 2020 at 04:45:04PM +0200, Francois-Xavier Le Bail wrote:
>> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
>>> 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S],
>>> ttl
--- Begin Message ---
Hi,
On Tue, May 05, 2020 at 04:45:04PM +0200, Francois-Xavier Le Bail wrote:
> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S],
> > ttl 254) IP 10.27.99.2 > 10.27.99.34: ICMP echo
--- Begin Message ---
On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S],
> ttl 254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 5160,
> length 84
> 12:11:46.117107 MPLS (label 24002, exp 0,
--- Begin Message ---
Hi,
On Tue, May 05, 2020 at 05:50:40AM -0400, Gert Doering via tcpdump-workers
wrote:
> Now, the two questions:
>
> - is there a switch I'm missing to decode packets-in-MPLS?
> (like, "packets in GRE" get decoded already)
> - if not, is someone already working on it?
27 matches
Mail list logo
