sven, i have just checked in a fix for MPLS code generation into libpcap HEAD and 0_9:
--- if we have a MPLS label stack deeper > 1 then generate a match for a cleared bottom-of-stack-bit of the previous MPLS shim header rather than just incrementing the offset; if there is a compined expression of MPLS and IP like e.g. "mpls && ip" | "mpls && ip host" | "mpls && ip src net" then poison the linkoffset to make sure that other code generators do not try to match link-layer protos like Q_ARP, Q_RARP etc. introduce a new function gen_null() that matches against the first nibble of the IP header and matches if the bottom-of-stack bit is set; TODO: IPv6 stuff i.e. gen_host6() etc. -- so tcpdump -nvvi eth1 "mpls && src net 195.113.0.0/16" should work now; /hannes On Fri, Jul 08, 2005 at 12:17:17PM +0200, Sven Ubik wrote: | Hi All, | | I need to monitor a link with MPLS enabled. Is it possible to filter | MPLS packets based on IP header fields? IP header is after MPLS header | and tcpdump correctly recognizes that: | | tcpdump -n -i eth1 -vv ether proto 0x8847 | | 12:01:33.175076 MPLS (label 39, exp 0, [S], ttl 255) | IP (tos 0x0, ttl 60, id 10954, offset 0, flags [DF], length: 1500) | 147.32.127.222.80 > 82.57.120.192.11472: . 4380:5840(1460) ack 1 win 1728 | | but when I add filter for say source IP address, tcpdump fails: | | tcpdump -n -i eth1 -vv ether proto 0x8847 and src net 195.113.0.0/16 | | eth1 not found (did you install the module?), down or already in use. | Using Linux packet capture on eth1 | tcpdump: WARNING: setsockopt: Protocol not available | tcpdump: WARNING: eth1: no IPv4 address assigned | tcpdump: expression rejects all packets | | when I try just to filter source IP addresses without requesting packets | with MPLS headers, it works, but tcpdump returns only packets that did | not have an MPLS header (multicast and a few other special packets of | inter-router communication): | | tcpdump -n -i eth1 -vv src net 195.113.0.0/16 | | 12:13:32.240979 IP 195.113.69.53 > 224.0.0.13: pim v2 Join/Prune | upstream-neighbor=195.113.69.54 groups=1 holdtime=3m30s (group0: 233.10.47.22 join=1 | 194.160.9.2(S) prune=0) | | Thanks. | | Regards, | | Sven Ubik | CESNET | - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
