Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] MPLS over UDP decoding

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 28 Dec 2018 13:06:20 -0800
On Dec 27, 2018, at 3:01 PM, Yang Yu <yang.yu.list@xxxxxxxxx> wrote:

> In a packet capture of sFlow export packets, I noticed some sFlow
> samples were decoded as MPLS over UDP. The sFlow sampled packet was
> actually just a UDP VoIP packet with no dissector support.
> 
> What logic does Wireshark use to opportunistically consider UDP
> payload to be MPLS?

From looking at the code, the logic appears to be "is the traffic to or from UDP port 6635?"

So *is* the traffic to or from UDP port 6635?