Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] [PATCH]: enhanced "what's past last mpls label?" heuristic

From: "Francesco Fondelli" <francesco.fondelli@xxxxxxxxx>
Date: Mon, 7 Jul 2008 16:31:04 +0200
Hi all,

Attached is a patch for:

- PW Associated Channel Header dissection as per RFC 4385
- PW MPLS Control Word dissection as per RFC 4385
- mpls subdissector table indexed by label value
- enhanced "what's past last mpls label?" heuristic
- Ethernet PW (w/o CW) support as per RFC 4448

The new logic to dissect data after last mpls label is:

if (!dissector_try_label(mpls_subdissector_table, label, ...)) {
       if (nibble == 6) {
               call_dissector(ipv6_handle, ...);
       } else if (nibble == 4) {
               call_dissector(ipv4_handle, ...);
       } else if (nibble == 1) {
               dissect_pw_ach(next_tvb, ...);
       } else if (nibble == 0) {
              if (looks_like_plain_eth(next_tvb)) {
                     call_dissector(eth_withoutfcs_handle, next_tvb, ...);
              } else {
                     dissect_pw_mcw(next_tvb, ...);
              }
       } else {
              call_dissector(eth_withoutfcs_handle, ...);
       }
}

The mpls protocol dissector has now a subdissector table indexed by label.
If the user specifies a binding (through "Decode as...") label N <--> proto X
wireshark will pass data past last mpls label to dissector X. If there is
no label2proto binding the legacy "first nibble based" algorithm (corrected and
enhanced) is used.

the original code was:

     if (ipvers == 6) {
       call_dissector(ipv6_handle, next_tvb, pinfo, tree);
     } else if (ipvers == 4) {
       call_dissector(ipv4_handle, next_tvb, pinfo, tree);
     } else if (ipvers == 1) {
       dissect_mpls_control(next_tvb, pinfo, tree);
     } else {
       call_dissector(eth_withoutfcs_handle, next_tvb, pinfo, tree);
     }

dissect_mpls_control() is now called dissect_pw_ach() (ach stands for
Associated Channel Header) as per RFC 4385 terminology.
dissect_pw_mcw() (mcw stands for MPLS Generic/Preferred Control Word)
is called only if the first nibble is 0 (as per RFC 4385) and if the
first 12 bytes of data look like two mac addresses.

Ethernet PWs are common nowadays with and without CW (control word:
4 bytes between last mpls label and the encapsulated ethernet header)
in service provider networks.  I have been told few times that
"wireshark doesn't work" because of the CW presence.  This patch
"automagically" provides a valid dissection in most common "eth
PWs with/without CW" cases.

Moreover, this patch allows wireshark users to manually provide info
in case the heuristic fails.

If you accept this changes new dissectors, one for each type of PW
encapsulated traffic, can be easily implemented (packet-pw-eth.c is
provided as a starting point).

- Structure-Agnostic Time Division Multiplexing (TDM) over Packet
  (SAToP) (RFC 4553)

- Structure-Aware Time Division Multiplexed (TDM) Circuit Emulation Service
  over Packet Switched Network
  (CESoPSN) (RFC 5086)

are at the top of my to-do list.

I have used and fuzz-tested this code.  Please check it in.

Ciao
FF

ps
patch is against svn #25387 but unfortunately is a "diff -ru dir1 dir2"
because I cannot "svn diff" anymore due to bad bad proxy settings,
sorry, it should work fine anyway.

pps
bug report is #2689

Attachment: new_mpls_heuristic.patch
Description: Binary data