Wireshark · Wireshark-dev: [Wireshark-dev] dissection of packets with unknown format (LDP/MPLS/PWE)

[Alexandre Abreu <alxabreu@xxxxxxxxx>]

Hi.

Has anyone ever found a case where the successful dissection of one  
protocol depends on what was negotiated in another protocol? I've been  
looking into dissecting pseudowires running over MPLS but the packet  
format can't be obtained by looking just into the MPLS traffic. Per  
each MPLS frame/packet, a match has to be made with the labels  
negotiated previously by LDP (for those unused to these prots, you can  
think of LDP as the signalling protocol for MPLS traffic) to then be  
able to map the MPLS traffic into the appropriate RFC. This is the  
only way to be able to look into an MPLS packet and decide it is part  
of an EoMPLS pseudowire and not part of an IPv4 VPN for example.

Right now, I've changed the MPLS dissector to decode each MPLS frame  
into 4 or 5 subtrees, each assuming a different type of traffic and  
then I decide which type of traffic I'm most probably looking at based  
on my personal analysis of the fields. But this is highly inefficient  
and error prone.

I guess my question comes down to: how can we store the information  
from dissection of one protocol so that it can be used to dissect  
another protocol, while still following wireshark's dev guidelines.

Tks in advance

AA