sven, you need to specify the keyword "mpls" in order to shift the offsets to match IP addresses;
i.e. tcpdump -n -i eth1 -O -vv "mpls && src net 195.113.0.0/16" pls turn off the optimizer [-O flag] as without tcpdump returns the error "tcpdump: expression rejects all packets"; guy, do you have any idea what cause the optimizer to dead-optimize this expression ? /hannes On Fri, Jul 08, 2005 at 12:17:17PM +0200, Sven Ubik wrote: | Hi All, | | I need to monitor a link with MPLS enabled. Is it possible to filter | MPLS packets based on IP header fields? IP header is after MPLS header | and tcpdump correctly recognizes that: | | tcpdump -n -i eth1 -vv ether proto 0x8847 | | 12:01:33.175076 MPLS (label 39, exp 0, [S], ttl 255) | IP (tos 0x0, ttl 60, id 10954, offset 0, flags [DF], length: 1500) | 147.32.127.222.80 > 82.57.120.192.11472: . 4380:5840(1460) ack 1 win 1728 | | but when I add filter for say source IP address, tcpdump fails: | | tcpdump -n -i eth1 -vv ether proto 0x8847 and src net 195.113.0.0/16 | | eth1 not found (did you install the module?), down or already in use. | Using Linux packet capture on eth1 | tcpdump: WARNING: setsockopt: Protocol not available | tcpdump: WARNING: eth1: no IPv4 address assigned | tcpdump: expression rejects all packets | | when I try just to filter source IP addresses without requesting packets | with MPLS headers, it works, but tcpdump returns only packets that did | not have an MPLS header (multicast and a few other special packets of | inter-router communication): | | tcpdump -n -i eth1 -vv src net 195.113.0.0/16 | | 12:13:32.240979 IP 195.113.69.53 > 224.0.0.13: pim v2 Join/Prune | upstream-neighbor=195.113.69.54 groups=1 holdtime=3m30s (group0: 233.10.47.22 join=1 | 194.160.9.2(S) prune=0) | | Thanks. | | Regards, | | Sven Ubik | CESNET - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
