[tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

I need to trace "MPLS-y" stuff between some routers, and wonder if
I'm missing tcpdump functionality here, namely "decode packets inside
MPLS".

I can match on "mpls" or "mpls ", but then I just get a hex
dump...

11:13:58.765851 MPLS (label 105, exp 0, ttl 254)
(label 24003, exp 0, [S], ttl 254)
0x:    0050 569c 338e 3cfd febd 7835  .PV.3.<...x5
0x0010:  0800 4500 0068 1218  4001 8e3b 0a1b  ..E..h@..;..
0x0020:  6302 0a1b 630a 0800 a2ea 6e4b 0738   c...c.nK.8..
0x0030:           
0x0040:   6c69 626f 7069 6e67 202d 2d20 4943  ..liboping.--.IC
0x0050:  4d50 2070 696e 6720 6c69 6272 6172 7920  MP.ping.library.
0x0060:  3c68 7474 703a 2f2f 6f63 746f 2e69 742f  

... while tshark would nicely decode the inner headers...

MultiProtocol Label Switching Header, Label: 24002, Exp: 0, S: 1, TTL: 253
 0101 1101 1100 0010    = MPLS Label: 24002
     000.   = MPLS Experimental Bits: 0
     ...1   = MPLS Bottom Of Label Stack: 1
       1101 = MPLS TTL: 253
Ethernet II, Src: Cisco_65:92:0f (00:c1:64:65:92:0f), Dst: IntelCor_bd:78:35 
(3c:fd:fe:bd:78:35)
...
Internet Protocol Version 4, Src: 10.27.99.34, Dst: 10.27.99.2
...
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)



Now, I do not want to use tshark here, because it is way too chatty - 
for a quick live packet view ("1-3 lines per packet", so I can immediately
see "ah, yes, packet went out, reply is / is not coming back") without
scrolling or folding packets I like tcpdump way better...


Now, the two questions:

 - is there a switch I'm missing to decode packets-in-MPLS?
(like, "packets in GRE" get decoded already)
 - if not, is someone already working on it?  I might just hack 
   it in, if not...


thanks :)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 05:50:40AM -0400, Gert Doering via tcpdump-workers 
wrote:
> Now, the two questions:
> 
>  - is there a switch I'm missing to decode packets-in-MPLS?
> (like, "packets in GRE" get decoded already)
>  - if not, is someone already working on it?  I might just hack 
>it in, if not...

O-kay.  That turned out to be easier and harder than I thought, at the
same time.

tcpdump's print-mpls.c already does "if I know what upper-layer protocol
is in here, I call the appropriate printer".  But there is no well-defined
type field, so it fails for my packets, and and falls back to "hexdump"
(good enough).

In my case, there is an MPLS control word before the ethernet header
(" "), and if I skip that and just clear "ethernet in here", I
get nicely printed packets...

12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S], ttl 
254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 5160, length 
84
12:11:46.117107 MPLS (label 24002, exp 0, [S], ttl 253) IP 10.27.99.34 > 
10.27.99.2: ICMP echo reply, id 49866, seq 5160, length 84


So, for my debugging purposes, I have what I need now.

For "contribute back to tcpdump", this is unsatisfactory, as I'm just
guessing what is in there - we already have guesswork, but that isn't
covering "0" (and being a control word, it could be anything).

How does wireshark/tshark approach this?


Would it make sense to add a flag option "hey, MPLS dissector, this is
ethernet + control-world, always"?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 04:45:04PM +0200, Francois-Xavier Le Bail wrote:
> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S], 
> > ttl 254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 
> > 5160, length 84
> > 12:11:46.117107 MPLS (label 24002, exp 0, [S], ttl 253) IP 10.27.99.34 > 
> > 10.27.99.2: ICMP echo reply, id 49866, seq 5160, length 84
> > 
> > 
> > So, for my debugging purposes, I have what I need now.
> 
> Could you send a pcap file with the ICMP echo request/reply test ?

Of course.  Attached.  This is EVPN/MPLS between two Cisco ASRs (in
case it makes a difference).  One direction has only a single label
because the final router is on the link I'm sniffing, the other direction
has two labels.

Inside are a few machines pinging around plus one or two ARPs.

(The .cap file is very small, just 4 kbyte, so I dare send it to the
list as well)

> And the patch you apply ?

Attached as well.  Not very smart yet, just does "what I need".

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 06:45:27PM +0200, Francois-Xavier Le Bail wrote:
> > Attached as well.  Not very smart yet, just does "what I need".
> 
> Thanks,
> 
> Patch for which tcpdump version?

github checkout, it identifies itself as

tcpdump version 4.10.0-PRE-GIT

(git clone https://github.com/the-tcpdump-group/tcpdump.git)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 07:24:37PM +0200, Francois-Xavier Le Bail wrote:
> Ok, it had DOS line ending format ...

Not when I sent it, but who knows which mailer mangled it in surprising
and fascinating ways on the path...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 07:28:28PM +0200, Francois-Xavier Le Bail wrote:
> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > In my case, there is an MPLS control word before the ethernet header
> > (" "), and if I skip that and just clear "ethernet in here", I
> > get nicely printed packets...
> 
> It seems it is like:
> https://tools.ietf.org/html/rfc4448#section-4.6
> 
> Can you confirm?

This very much looks like it, indeed.

So, given that the first 16 bits are "4 bit always 0, and 12 bits
reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
are following the MPLS headers, it's a control word, so we skip 4 bytes
and the rest is a regular Ethernet packet" should work.

Thanks for digging up that reference :)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 08:47:04PM +0200, Francois-Xavier Le Bail wrote:
> > So, given that the first 16 bits are "4 bit always 0, and 12 bits
> > reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> > are following the MPLS headers, it's a control word, so we skip 4 bytes
> > and the rest is a regular Ethernet packet" should work.
> 
> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last 
> 2 octets of the 4.
> Like:
> PW Ethernet Control Word, Sequence Number xxx

I think we should only print this if "-v" is given.  Most of the time, 
both control word and sequence number are of little interest.

I really like tcpdump's very compact "only the most relevant info" output
format (by default).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Thu, May 07, 2020 at 08:20:40AM +0200, Francois-Xavier Le Bail wrote:
> Proposed patch attached.
> 
> With new '-T mplsethnocw' option to force 'Ethernet without Control Word' 
> decode.
> (from Francesco Fondelli comment)

There's one bug here:

> + case 0x00:  /* RFC 4448 PW Ethernet Control Word */
> + if (ndo->ndo_vflag) {
> + ND_PRINT("\n\tPW Ethernet Control 
> Word");
> + p += 2;
> + ND_PRINT(", Sequence Number %u", 
> GET_BE_U_2(p));
> + p += 2;
> + } else
> + ND_PRINT(" PWETHCW");
> + p += 4;
> + length -= 4;

Due to missing {}, the "p += 4" will always be executed, skipping the
control word twice if "-v" is set.

I'd totally leave off printing the "PWETHCW", though.  If it's decoding the
payload, that is all information I need - if I want more, I can always
do "-v".

So the code would become:

+   case 0x00:  /* RFC 4448 PW Ethernet Control Word */
+   if (ndo->ndo_vflag) {
+   ND_PRINT("\n\tPW Ethernet Control 
Word");
+   ND_PRINT(", Sequence Number %u", 
GET_BE_U_2(p+2));
+   }
+   p += 4;
+   length -= 4;
+   pt = PT_ETHER;
+   break;

There's something else:

+   case PT_ETHER:
+   ether_print(ndo, p, length, ND_BYTES_AVAILABLE_AFTER(bp), NULL, 
NULL);

This might actually be a bug in my original patch, ND_BYTES_AVAILABLE_AFTER()
should possibly call "(p)", not "(bp)".  Copy-pasted that line from
print-gre.c, and only changed the first "bp" to "p.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Wed, May 06, 2020 at 11:54:55PM -0700, Guy Harris wrote:
> OK, so what *shark's MPLS dissector does is:
[..]
> "Looks like a valid Ethernet address" is defined as "the first three octets 
> appear in Wireshark's file giving manufacturer names for OUIs".  Tcpdump 
> *currently* doesn't have such a file.

So, how do we/you want to handle this in tcpdump then?  "-T mplsnocw"
for "mpls, ethernet, no control word" and "0 means control word", as
proposed by Francois-Xavier?

(Of course this would need a man page patch as well :) )

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Thu, May 07, 2020 at 03:39:07AM -0400, Francois-Xavier Le Bail via 
tcpdump-workers wrote:
> What if the first nibble is <> de 4, 6, 1, 0, e.g. 'f' like the first f of 
> ff:ff:ff:ff:ff:ff ?

This is, as far as I understand, the primary reason why control word
was added.  Routers misinterpretation these packets due to MAC addresses
starting with "4" or "6".

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

[Gert Doering via tcpdump-workers]

--- Begin Message ---
Hi,

On Thu, May 07, 2020 at 01:05:19AM -0700, Guy Harris wrote:
> A mechanism where you could do something such as "-T tcp:1073:{protocol}"
> to force traffic to TCP port 1073 to be dissected as the specified
> protocol might be useful; in this case, we'd do something such as
> "-T mpls:{protocol}" to force *all* MPLS packets to be dissected
> as the specified protocol, and "-T mpls:{label}:{protocol}", to
> force packets with a particular label to be dissected as the specified
> protocol (which might mean you'd have to run tcpdump twice - once
> to see what the label is, and once to decode the label.

I find this to be a fairly complex solution, at least for my use case.  

I know what I'm looking at ("tcpdump -s0 'label 12003'"), it's just 
tcpdump not knowing what these packets are - so for these simple cases, a 

  "-T mplsnocweth"
  "-T mplscweth"

(or whatever it's called in the end) would be sufficient.  The documentation 
would need updating to make clear what happens behind the scenes ("this 
forces some of the dissectors to decode the packet in a particular way", 
and then possibly explain for each -T value to what sort of packets it applies)


OTOH, as a long-term road map, why not :-)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers