Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 21:44, Gert Doering wrote:
>> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last 
>> 2 octets of the 4.
>> Like:
>> PW Ethernet Control Word, Sequence Number xxx
> I think we should only print this if "-v" is given.  Most of the time, 
> both control word and sequence number are of little interest.
> 
> I really like tcpdump's very compact "only the most relevant info" output
> format (by default).

OK for "-v" only print.

Other information from Francesco Fondelli:

---
it is a bit more complicated than that, look for

/*
 * No, there isn't, so use the 1st nibble logic (see BCP 4928,
 * RFC 4385 and 5586).
 */

in
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-mpls.c;h=4ecb10d1216077b92e6d4ca2520340cf053414f4;hb=HEAD

and also the PW ETH heuristic in looks_like_plain_eth

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-pw-eth.c;h=aec7b662d38ddb36514ed3c213df47ad53ad610b;hb=HEAD

Wireshark MPLS heuristic is not perfect and has been criticized but is still 
there :-) hopefully
correctly parsing your data as well.

For tcpdump maybe a -T based approach is better?

-T mpls (+ 1st nibble logic for IPv4/IPv6)
-T ethpw
-T ethpwnocw
...
---

Probably some more work to do...

And probably linked to https://tools.ietf.org/html/rfc8469.

-- 
Francois-Xavier
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 08:47:04PM +0200, Francois-Xavier Le Bail wrote:
> > So, given that the first 16 bits are "4 bit always 0, and 12 bits
> > reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> > are following the MPLS headers, it's a control word, so we skip 4 bytes
> > and the rest is a regular Ethernet packet" should work.
> 
> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last 
> 2 octets of the 4.
> Like:
> PW Ethernet Control Word, Sequence Number xxx

I think we should only print this if "-v" is given.  Most of the time, 
both control word and sequence number are of little interest.

I really like tcpdump's very compact "only the most relevant info" output
format (by default).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 20:45, Francois-Xavier Le Bail via tcpdump-workers wrote:
> We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last 
> 2 octets of the 4.
> Like:
> PW Ethernet Control Word, Sequence Number xxx

Attached patch based on yours.

-- 
Francois-Xavier
diff --git a/print-mpls.c b/print-mpls.c
index 62b79957..e375c84a 100644
--- a/print-mpls.c
+++ b/print-mpls.c
@@ -50,7 +50,8 @@ enum mpls_packet_type {
PT_UNKNOWN,
PT_IPV4,
PT_IPV6,
-   PT_OSI
+   PT_OSI,
+   PT_ETHER
 };
 
 /*
@@ -174,6 +175,15 @@ mpls_print(netdissect_options *ndo, const u_char *bp, 
u_int length)
pt = PT_OSI;
break;
 
+   case 0x00:  /* RFC 4448 PW Ethernet Control Word */
+   ND_PRINT("\n\tPW Ethernet Control Word");
+   p += 2;
+   ND_PRINT(", Sequence Number %u", GET_BE_U_2(p));
+   p += 2;
+   length -= 4;
+   pt = PT_ETHER;
+   break;
+
default:
/* ok bail out - we did not figure out what it is*/
break;
@@ -203,6 +213,10 @@ mpls_print(netdissect_options *ndo, const u_char *bp, 
u_int length)
isoclns_print(ndo, p, length);
break;
 
+   case PT_ETHER:
+   ether_print(ndo, p, length, ND_BYTES_AVAILABLE_AFTER(bp), NULL, 
NULL);
+   break;
+
default:
break;
}
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 20:37, Gert Doering wrote:
> Hi,
> 
> On Tue, May 05, 2020 at 07:28:28PM +0200, Francois-Xavier Le Bail wrote:
>> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
>>> In my case, there is an MPLS control word before the ethernet header
>>> (" "), and if I skip that and just clear "ethernet in here", I
>>> get nicely printed packets...
>>
>> It seems it is like:
>> https://tools.ietf.org/html/rfc4448#section-4.6
>>
>> Can you confirm?
> 
> This very much looks like it, indeed.
> 
> So, given that the first 16 bits are "4 bit always 0, and 12 bits
> reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
> are following the MPLS headers, it's a control word, so we skip 4 bytes
> and the rest is a regular Ethernet packet" should work.

We should print "PW Ethernet Control Word" and the "Sequence Number", 2 last 2 
octets of the 4.
Like:
PW Ethernet Control Word, Sequence Number xxx

[...]
18:31:01.221109 00:22:55:93:74:80 > a8:0c:0d:56:50:3b, ethertype MPLS unicast 
(0x8847), length 140:
MPLS (label 24002, exp 0, [S], ttl 253)
PW Ethernet Control Word, Sequence Number 0
00:c1:64:65:92:0f > 3c:fd:fe:bd:78:35, ethertype IPv4 (0x0800)
[...]

-- 
Francois-Xavier
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 07:28:28PM +0200, Francois-Xavier Le Bail wrote:
> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > In my case, there is an MPLS control word before the ethernet header
> > (" "), and if I skip that and just clear "ethernet in here", I
> > get nicely printed packets...
> 
> It seems it is like:
> https://tools.ietf.org/html/rfc4448#section-4.6
> 
> Can you confirm?

This very much looks like it, indeed.

So, given that the first 16 bits are "4 bit always 0, and 12 bits
reserved-must-be-set-to-0", using these as heuristics for "if two 0-bytes
are following the MPLS headers, it's a control word, so we skip 4 bytes
and the rest is a regular Ethernet packet" should work.

Thanks for digging up that reference :)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 07:24:37PM +0200, Francois-Xavier Le Bail wrote:
> Ok, it had DOS line ending format ...

Not when I sent it, but who knows which mailer mangled it in surprising
and fascinating ways on the path...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> In my case, there is an MPLS control word before the ethernet header
> (" "), and if I skip that and just clear "ethernet in here", I
> get nicely printed packets...

It seems it is like:
https://tools.ietf.org/html/rfc4448#section-4.6

Can you confirm?

-- 
Francois-Xavier
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 19:17, Gert Doering wrote:
> Hi,
> 
> On Tue, May 05, 2020 at 06:45:27PM +0200, Francois-Xavier Le Bail wrote:
>>> Attached as well.  Not very smart yet, just does "what I need".
>>
>> Thanks,
>>
>> Patch for which tcpdump version?
> 
> github checkout, it identifies itself as
> 
> tcpdump version 4.10.0-PRE-GIT
> 
> (git clone https://github.com/the-tcpdump-group/tcpdump.git)

Ok, it had DOS line ending format ...
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 06:45:27PM +0200, Francois-Xavier Le Bail wrote:
> > Attached as well.  Not very smart yet, just does "what I need".
> 
> Thanks,
> 
> Patch for which tcpdump version?

github checkout, it identifies itself as

tcpdump version 4.10.0-PRE-GIT

(git clone https://github.com/the-tcpdump-group/tcpdump.git)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 18:34, Gert Doering wrote:
> Hi,
> 
> On Tue, May 05, 2020 at 04:45:04PM +0200, Francois-Xavier Le Bail wrote:
>> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
>>> 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S], 
>>> ttl 254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 
>>> 5160, length 84
>>> 12:11:46.117107 MPLS (label 24002, exp 0, [S], ttl 253) IP 10.27.99.34 > 
>>> 10.27.99.2: ICMP echo reply, id 49866, seq 5160, length 84
>>>
>>>
>>> So, for my debugging purposes, I have what I need now.
>>
>> [...]
> 
>> And the patch you apply ?
> 
> Attached as well.  Not very smart yet, just does "what I need".

Thanks,

Patch for which tcpdump version?

-- 
Francois-Xavier
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 04:45:04PM +0200, Francois-Xavier Le Bail wrote:
> On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> > 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S], 
> > ttl 254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 
> > 5160, length 84
> > 12:11:46.117107 MPLS (label 24002, exp 0, [S], ttl 253) IP 10.27.99.34 > 
> > 10.27.99.2: ICMP echo reply, id 49866, seq 5160, length 84
> > 
> > 
> > So, for my debugging purposes, I have what I need now.
> 
> Could you send a pcap file with the ICMP echo request/reply test ?

Of course.  Attached.  This is EVPN/MPLS between two Cisco ASRs (in
case it makes a difference).  One direction has only a single label
because the final router is on the link I'm sniffing, the other direction
has two labels.

Inside are a few machines pinging around plus one or two ARPs.

(The .cap file is very small, just 4 kbyte, so I dare send it to the
list as well)

> And the patch you apply ?

Attached as well.  Not very smart yet, just does "what I need".

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Francois-Xavier Le Bail via tcpdump-workers 
--- Begin Message ---
On 05/05/2020 12:15, Gert Doering via tcpdump-workers wrote:
> 12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S], 
> ttl 254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 5160, 
> length 84
> 12:11:46.117107 MPLS (label 24002, exp 0, [S], ttl 253) IP 10.27.99.34 > 
> 10.27.99.2: ICMP echo reply, id 49866, seq 5160, length 84
> 
> 
> So, for my debugging purposes, I have what I need now.

Could you send a pcap file with the ICMP echo request/reply test ?
And the patch you apply ?

-- 
Francois-Xavier
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

On Tue, May 05, 2020 at 05:50:40AM -0400, Gert Doering via tcpdump-workers 
wrote:
> Now, the two questions:
> 
>  - is there a switch I'm missing to decode packets-in-MPLS?
> (like, "packets in GRE" get decoded already)
>  - if not, is someone already working on it?  I might just hack 
>it in, if not...

O-kay.  That turned out to be easier and harder than I thought, at the
same time.

tcpdump's print-mpls.c already does "if I know what upper-layer protocol
is in here, I call the appropriate printer".  But there is no well-defined
type field, so it fails for my packets, and and falls back to "hexdump"
(good enough).

In my case, there is an MPLS control word before the ethernet header
(" "), and if I skip that and just clear "ethernet in here", I
get nicely printed packets...

12:11:46.116238 MPLS (label 105, exp 0, ttl 254) (label 24003, exp 0, [S], ttl 
254) IP 10.27.99.2 > 10.27.99.34: ICMP echo request, id 49866, seq 5160, length 
84
12:11:46.117107 MPLS (label 24002, exp 0, [S], ttl 253) IP 10.27.99.34 > 
10.27.99.2: ICMP echo reply, id 49866, seq 5160, length 84


So, for my debugging purposes, I have what I need now.

For "contribute back to tcpdump", this is unsatisfactory, as I'm just
guessing what is in there - we already have guesswork, but that isn't
covering "0" (and being a control word, it could be anything).

How does wireshark/tshark approach this?


Would it make sense to add a flag option "hey, MPLS dissector, this is
ethernet + control-world, always"?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

[tcpdump-workers] decode MPLS-contained packets?

2020-05-05 Thread Gert Doering via tcpdump-workers 
--- Begin Message ---
Hi,

I need to trace "MPLS-y" stuff between some routers, and wonder if
I'm missing tcpdump functionality here, namely "decode packets inside
MPLS".

I can match on "mpls" or "mpls ", but then I just get a hex
dump...

11:13:58.765851 MPLS (label 105, exp 0, ttl 254)
(label 24003, exp 0, [S], ttl 254)
0x:    0050 569c 338e 3cfd febd 7835  .PV.3.<...x5
0x0010:  0800 4500 0068 1218  4001 8e3b 0a1b  ..E..h@..;..
0x0020:  6302 0a1b 630a 0800 a2ea 6e4b 0738   c...c.nK.8..
0x0030:           
0x0040:   6c69 626f 7069 6e67 202d 2d20 4943  ..liboping.--.IC
0x0050:  4d50 2070 696e 6720 6c69 6272 6172 7920  MP.ping.library.
0x0060:  3c68 7474 703a 2f2f 6f63 746f 2e69 742f  

... while tshark would nicely decode the inner headers...

MultiProtocol Label Switching Header, Label: 24002, Exp: 0, S: 1, TTL: 253
 0101 1101 1100 0010    = MPLS Label: 24002
     000.   = MPLS Experimental Bits: 0
     ...1   = MPLS Bottom Of Label Stack: 1
       1101 = MPLS TTL: 253
Ethernet II, Src: Cisco_65:92:0f (00:c1:64:65:92:0f), Dst: IntelCor_bd:78:35 
(3c:fd:fe:bd:78:35)
...
Internet Protocol Version 4, Src: 10.27.99.34, Dst: 10.27.99.2
...
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)



Now, I do not want to use tshark here, because it is way too chatty - 
for a quick live packet view ("1-3 lines per packet", so I can immediately
see "ah, yes, packet went out, reply is / is not coming back") without
scrolling or folding packets I like tcpdump way better...


Now, the two questions:

 - is there a switch I'm missing to decode packets-in-MPLS?
(like, "packets in GRE" get decoded already)
 - if not, is someone already working on it?  I might just hack 
   it in, if not...


thanks :)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers