Wireshark-users: [Wireshark-users] Capture Filter for MPLS GRE Encapsulated Packets
I am trying to do a capture filter for the packet below for port 67 and 68 highlight below in
RED.I have tried:
vlan and mpls and mpls and port 67 - Capture Filter saved correctly but not DHCP traffic captured
mpls and mpls and vlan and port 67 - error when saving capture filter - no vlan match after mpls
vlan and ether and IP and mpls and mpls and port 67 - error when saving capture filter - link layer applied in wrong context
vlan and IP and mpls and mpls and port 67 - error when saving capture filter - Invalid Syntax
Now I am thinking of doing an absolute offset:
ether[80:2] == 0x0043 or ether[80:2] == 0x0044 - Capture Filter saved correctly and captured the required traffic
Do you know of a more elegant way of doing this capture that would be more repeatable with different levels of encapsulation?
Any suggestions would be appreciated.
Thanx,
John
===============================================================================================
No. Time Source Destination Protocol Info TCP SEQ TCP ACK
2058 07:40:35.308901 x.x.x.x y.y.y.y DHCP DHCP Release - Transaction ID 0x8161892
Frame 2058 (397 bytes on wire, 397 bytes captured)
Arrival Time: Mar 22, 2011 07:40:35.308901000
[Time delta from previous captured frame: 0.119089000 seconds]
[Time delta from previous displayed frame: 1118.799111000 seconds]
[Time since reference or first frame: 2331.849159000 seconds]
Frame Number: 2058
Frame Length: 397 bytes
Capture Length: 397 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:gre:mpls:eth:vlan:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5), Dst: 02:00:00:00:00:01 (02:00:00:00:00:01)
Destination: 02:00:00:00:00:01 (02:00:00:00:00:01)
Address: 02:00:00:00:00:01 (02:00:00:00:00:01)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5)
Address: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: a.a.a.a (a.a.a.a), Dst: b.b.b.b (b.b.b.b)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 383
Identification: 0x6483 (25731)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: GRE (0x2f)
Header checksum: 0xcb6b [correct]
[Good: True]
[Bad : False]
Source: a.a.a.a (a.a.a.a)
Destination: b.b.b.b (b.b.b.b)
Generic Routing Encapsulation (MPLS label switched packet)
Flags and version: 0000
0... .... .... .... = No checksum
.0.. .... .... .... = No routing
..0. .... .... .... = No key
...0 .... .... .... = No sequence number
.... 0... .... .... = No strict source route
.... .000 .... .... = Recursion control: 0
.... .... 0000 0... = Flags: 0
.... .... .... .000 = Version: 0
Protocol Type: MPLS label switched packet (0x8847)
MultiProtocol Label Switching Header, Label: 400, Exp: 0, S: 1, TTL: 255
MPLS Label: 400
MPLS Experimental Bits: 0
MPLS Bottom Of Label Stack: 1
MPLS TTL: 255
Ethernet II, Src: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)
Address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1324
000. .... .... .... = Priority: 0
...0 .... .... .... = CFI: 0
.... 0101 0010 1100 = ID: 1324
Type: IP (0x0800)
Internet Protocol, Src: x.x.x.x(z.z.z.z), Dst: y.y.y.y (y.y.y.y)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 337
Identification: 0x9ac4 (39620)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x69c5 [correct]
[Good: True]
[Bad : False]
Source: x.x.x.x(z.z.z.z)
Destination: y.y.y.y (y.y.y.y)
User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)
Source port: 68 (68)
Destination port: 67 (67)
Length: 317
Checksum: 0xae1b [correct]
[Good Checksum: True]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x08161892
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: x.x.x.x(z.z.z.z)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Release
Option: (53) DHCP Message Type
Length: 1
Value: 07
Option: (t=61,l=7) Client identifier
Option: (61) Client identifier
Length: 7
Value: 010019E4DAF9D0
Hardware type: Ethernet
Client MAC address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)
Option: (t=56,l=14) Message = "clean shutdown"
Option: (56) Message
Length: 14
Value: 636C65616E2073687574646F776E
Option: (t=54,l=4) Server Identifier = y.y.y.y
Option: (54) Server Identifier
Length: 4
Value: 8EA5D2E3
Option: (t=82,l=32) Agent Information Option
Option: (82) Agent Information Option
Length: 32
Value: 011E5245474E534B30314C33302061746D20312F312F3033...
Agent Circuit ID: 5245474E534B30314C33302061746D20312F312F30332F32...
End Option
- Prev by Date: [Wireshark-users] Reconstruct received MMS from pcap
- Next by Date: [Wireshark-users] Windows 7 Ignores TCP MSS?
- Previous by thread: [Wireshark-users] Reconstruct received MMS from pcap
- Next by thread: [Wireshark-users] Windows 7 Ignores TCP MSS?
- Index(es):