Wireshark-dev: [Wireshark-dev] dissection of packets with unknown format (LDP/MPLS/PWE)
From: Alexandre Abreu <[email protected]>
Date: Mon, 28 Apr 2008 02:13:41 +0100

Has anyone ever found a case where the successful dissection of one protocol depends on what was negotiated in another protocol? I've been looking into dissecting pseudowires running over MPLS but the packet format can't be obtained by looking just into the MPLS traffic. Per each MPLS frame/packet, a match has to be made with the labels negotiated previously by LDP (for those unused to these prots, you can think of LDP as the signalling protocol for MPLS traffic) to then be able to map the MPLS traffic into the appropriate RFC. This is the only way to be able to look into an MPLS packet and decide it is part of an EoMPLS pseudowire and not part of an IPv4 VPN for example.
Right now, I've changed the MPLS dissector to decode each MPLS frame  
into 4 or 5 subtrees, each assuming a different type of traffic and  
then I decide which type of traffic I'm most probably looking at based  
on my personal analysis of the fields. But this is highly inefficient  
and error prone.
I guess my question comes down to: how can we store the information  
from dissection of one protocol so that it can be used to dissect  
another protocol, while still following wireshark's dev guidelines.
Tks in advance