Wireshark-users: [Wireshark-users] Capture Filter for MPLS GRE Encapsulated Packets

From: J P <jrp999@xxxxxxxxx>
Date: Tue, 22 Mar 2011 14:47:39 -0600
Hi Everyone,

I am trying to do a capture filter for the packet below for port 67 and 68 highlight below in

RED.

I have tried:

vlan and mpls and mpls and port 67 - Capture Filter saved correctly but not DHCP traffic captured

mpls and mpls and vlan and port 67 - error when saving capture filter - no vlan match after mpls

vlan and ether and IP and mpls and mpls and port 67 - error when saving capture filter - link layer applied in wrong context

vlan and IP and mpls and mpls and port 67 - error when saving capture filter - Invalid Syntax

Now I am thinking of doing an absolute offset:

ether[80:2] == 0x0043 or ether[80:2] == 0x0044 - Capture Filter saved correctly and captured the required traffic

Do you know of a more elegant way of doing this capture that would be more repeatable with different levels of encapsulation?

Any suggestions would be appreciated.

Thanx,

John

===============================================================================================

No. Time Source Destination Protocol Info TCP SEQ TCP ACK

2058 07:40:35.308901 x.x.x.x y.y.y.y DHCP DHCP Release - Transaction ID 0x8161892

Frame 2058 (397 bytes on wire, 397 bytes captured)

Arrival Time: Mar 22, 2011 07:40:35.308901000

[Time delta from previous captured frame: 0.119089000 seconds]

[Time delta from previous displayed frame: 1118.799111000 seconds]

[Time since reference or first frame: 2331.849159000 seconds]

Frame Number: 2058

Frame Length: 397 bytes

Capture Length: 397 bytes

[Frame is marked: False]

[Protocols in frame: eth:ip:gre:mpls:eth:vlan:ip:udp:bootp]

[Coloring Rule Name: UDP]

[Coloring Rule String: udp]

Ethernet II, Src: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5), Dst: 02:00:00:00:00:01 (02:00:00:00:00:01)

Destination: 02:00:00:00:00:01 (02:00:00:00:00:01)

Address: 02:00:00:00:00:01 (02:00:00:00:00:01)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)

Source: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5)

Address: 00:03:fa:91:31:e5 (00:03:fa:91:31:e5)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol, Src: a.a.a.a (a.a.a.a), Dst: b.b.b.b (b.b.b.b)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 383

Identification: 0x6483 (25731)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 254

Protocol: GRE (0x2f)

Header checksum: 0xcb6b [correct]

[Good: True]

[Bad : False]

Source: a.a.a.a (a.a.a.a)

Destination: b.b.b.b (b.b.b.b)

Generic Routing Encapsulation (MPLS label switched packet)

Flags and version: 0000

0... .... .... .... = No checksum

.0.. .... .... .... = No routing

..0. .... .... .... = No key

...0 .... .... .... = No sequence number

.... 0... .... .... = No strict source route

.... .000 .... .... = Recursion control: 0

.... .... 0000 0... = Flags: 0

.... .... .... .000 = Version: 0

Protocol Type: MPLS label switched packet (0x8847)

MultiProtocol Label Switching Header, Label: 400, Exp: 0, S: 1, TTL: 255

MPLS Label: 400

MPLS Experimental Bits: 0

MPLS Bottom Of Label Stack: 1

MPLS TTL: 255

Ethernet II, Src: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)

Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)

Address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)

Source: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)

Address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: 802.1Q Virtual LAN (0x8100)

802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1324

000. .... .... .... = Priority: 0

...0 .... .... .... = CFI: 0

.... 0101 0010 1100 = ID: 1324

Type: IP (0x0800)

Internet Protocol, Src: x.x.x.x(z.z.z.z), Dst: y.y.y.y (y.y.y.y)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 337

Identification: 0x9ac4 (39620)

Flags: 0x04 (Don't Fragment)

0... = Reserved bit: Not set

.1.. = Don't fragment: Set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 128

Protocol: UDP (0x11)

Header checksum: 0x69c5 [correct]

[Good: True]

[Bad : False]

Source: x.x.x.x(z.z.z.z)

Destination: y.y.y.y (y.y.y.y)

User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)

Source port: 68 (68)

Destination port: 67 (67)

Length: 317

Checksum: 0xae1b [correct]

[Good Checksum: True]

[Bad Checksum: False]

Bootstrap Protocol

Message type: Boot Request (1)

Hardware type: Ethernet

Hardware address length: 6

Hops: 0

Transaction ID: 0x08161892

Seconds elapsed: 0

Bootp flags: 0x0000 (Unicast)

0... .... .... .... = Broadcast flag: Unicast

.000 0000 0000 0000 = Reserved flags: 0x0000

Client IP address: x.x.x.x(z.z.z.z)

Your (client) IP address: 0.0.0.0 (0.0.0.0)

Next server IP address: 0.0.0.0 (0.0.0.0)

Relay agent IP address: 0.0.0.0 (0.0.0.0)

Client MAC address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)

Server host name not given

Boot file name not given

Magic cookie: (OK)

Option: (t=53,l=1) DHCP Message Type = DHCP Release

Option: (53) DHCP Message Type

Length: 1

Value: 07

Option: (t=61,l=7) Client identifier

Option: (61) Client identifier

Length: 7

Value: 010019E4DAF9D0

Hardware type: Ethernet

Client MAC address: 00:19:e4:da:f9:d0 (00:19:e4:da:f9:d0)

Option: (t=56,l=14) Message = "clean shutdown"

Option: (56) Message

Length: 14

Value: 636C65616E2073687574646F776E

Option: (t=54,l=4) Server Identifier = y.y.y.y

Option: (54) Server Identifier

Length: 4

Value: 8EA5D2E3

Option: (t=82,l=32) Agent Information Option

Option: (82) Agent Information Option

Length: 32

Value: 011E5245474E534B30314C33302061746D20312F312F3033...

Agent Circuit ID: 5245474E534B30314C33302061746D20312F312F30332F32...

End Option