Hi All, I can confirm that "tcpdump mpls & src net ..." works with the latest libpcap version! Thanks a lot to Hannes for the update and to all who adviced me about mpls-related syntax.
Regards, Sven Ubik On Fri, 8 Jul 2005, Hannes Gredler wrote: > i have just checked in a fix for MPLS code generation into libpcap HEAD > and 0_9: > > --- > if we have a MPLS label stack deeper > 1 then generate a match > for a cleared bottom-of-stack-bit of the previous MPLS shim header > rather than just incrementing the offset; > > if there is a compined expression of MPLS and IP like e.g. > "mpls && ip" | "mpls && ip host" | "mpls && ip src net" > then poison the linkoffset to make sure that other code generators > do not try to match link-layer protos like Q_ARP, Q_RARP etc. > > introduce a new function gen_null() that matches against the first nibble > of the IP header and matches if the bottom-of-stack bit is set; > > TODO: IPv6 stuff i.e. gen_host6() etc. > -- > > so tcpdump -nvvi eth1 "mpls && src net 195.113.0.0/16" > > should work now; > > /hannes > > On Fri, Jul 08, 2005 at 12:17:17PM +0200, Sven Ubik wrote: > | Hi All, > | > | I need to monitor a link with MPLS enabled. Is it possible to filter > | MPLS packets based on IP header fields? IP header is after MPLS header > | and tcpdump correctly recognizes that: > | > | tcpdump -n -i eth1 -vv ether proto 0x8847 > | > | 12:01:33.175076 MPLS (label 39, exp 0, [S], ttl 255) > | IP (tos 0x0, ttl 60, id 10954, offset 0, flags [DF], length: 1500) > | 147.32.127.222.80 > 82.57.120.192.11472: . 4380:5840(1460) ack 1 > win 1728 > | > | but when I add filter for say source IP address, tcpdump fails: > | > | tcpdump -n -i eth1 -vv ether proto 0x8847 and src net 195.113.0.0/16 > | > | eth1 not found (did you install the module?), down or already in use. > | Using Linux packet capture on eth1 > | tcpdump: WARNING: setsockopt: Protocol not available > | tcpdump: WARNING: eth1: no IPv4 address assigned > | tcpdump: expression rejects all packets > | > | when I try just to filter source IP addresses without requesting packets > | with MPLS headers, it works, but tcpdump returns only packets that did > | not have an MPLS header (multicast and a few other special packets of > | inter-router communication): > | > | tcpdump -n -i eth1 -vv src net 195.113.0.0/16 > | > | 12:13:32.240979 IP 195.113.69.53 > 224.0.0.13: pim v2 Join/Prune > | upstream-neighbor=195.113.69.54 groups=1 holdtime=3m30s (group0: > 233.10.47.22 join=1 > | 194.160.9.2(S) prune=0) > | > | Thanks. > | > | Regards, > | > | Sven Ubik > | CESNET - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
