Re: [tcpdump-workers] TCPDUMP of MPLS packet

Wed, 21 Dec 2005 11:36:03 -0800 

Scott Stoddard wrote:
Hi all, I hope this is the right place to post this but I could not find a users tcpdump list. 


This is the only list we have - it's for users and developers of tcpdump 
and libpcap.



I am trying to capture traffic between two hosts 
at a point where the traffic is encapsulated in MPLS headers. But using 
the normal 'host x and host x' doesnt seem to work. I am guessing it has 
something to do with the mpls header on the packets possibly changing 
the location of the src/dst addresses from the packets header edge?



Possibly.  Versions of libpcap prior to 0.9.1 don't handle MPLS headers, 
so those filters don't work.  The current top-of-tree tcpdump man page 
(which is where libpcap filters are described) says:


      mpls [label_num]
             True if the packet is an MPLS packet.  If [label_num]  is
             specified,  only  true  is  the  packet has the specified
             label_num.  Note that the first mpls keyword  encountered
             in  expression  changes  the  decoding  offsets  for  the
             remainder of expression on the assumption that the packet
             is  a  MPLS-encapsulated IP packet.  The mpls [label_num]
             expression may be used more than once, to filter on  MPLS
             hierarchies.   Each use of that expression increments the
             filter offsets by 4.

             For example:
                  mpls 100000 && mpls 1024
             filters packets with an outer  label  of  100000  and  an
             inner label of 1024, and
                  mpls && mpls 1024 && host 192.9.200.1
             filters  packets  to  or  from  192.9.200.1 with an inner
             label of 1024 and any outer label.


If you're using a version of tcpdump built with a libpcap prior to 0.9.1 
("tcpdump -h" should report the versions of tcpdump and libpcap), the 
"mpls" keyword won't be available, so you can't do filtering on 
MPLS-encapsulated packets.  You would have to run with a newer version 
of libpcap, for example by downloading the 0.9.4 libpcap and 3.9.4 
tcpdump source, unpacking them into subdirectories of the same 
directory, configuring and building libpcap, configuring and building 
tcpdump, and using the new tcpdump.



If you're using a version of tcpdump built with a libpcap prior to 
0.9.4, there are bugs that might cause problems filtering MPLS packets. 
 If so, see previous paragraph at the end.



If you're using a version of tcpdump built with libpcap 0.9.4 or later, 
the "mpls" keyword should work.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.






















					Reply via email to