> I think that this is due to the fact that ethereal decodes after the
> mpls-header is either altered or removed.
Ethereal decodes what the libpcap capture mechanism gives it; on Linux,
libpcap gets what the kernel's PF_PACKET/SOCK_RAW mechanism gives it.
Ethereal and libpcap are at the mercy of the OS's networking code when
capturing.
If that mechanism gives it frames with an Ethernet type field of 0x8847
(MPLS unicast) without an MPLS header after the Ethernet header, there's
not much Ethereal (or any *other* sniffer that uses libpcap) can do
about it.
> What happens is
> 1.If the MPLS-shim is removed, the TOS-Field still says mpls
By "the TOS field", do you mean the Ethernet type field? That's what
tells Ethereal that a frame is an MPLS frame.
> If anyone knows how this could be fixed in a different way than by
> using an extra machine, please tell me
Well, if you can get the Linux networking stack to send *raw Ethernet*
frames to PF_PACKET/SOCK_RAW sockets *AND*, if the Linux MPLS code
modifies those frames in place, get it to do a copy-on-write of the
frame, so that it doesn't damage the copy of the frame sent to the
PF_PACKET/SOCK_RAW socket, that might help.
I don't know how one would do that, however.