Issue with MPLS

[brightpinefield]

Hi all,

I'm not sure if this is a bug or not, so I apologize if not. I recently received some pcaps with some MPLS data contained within the packets. I'm just trying to use a simple script to extract packets by IP and received this error:

Traceback (most recent call last): File "/Volumes/DATA/TESTCASE/extract_packets.py", line 6, in inet_to_str return socket.inet_ntop(socket.AF_INET, inet) ValueError: invalid length of packed IP address string

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/Volumes/DATA/TESTCASE/extract_packets.py", line 96, in main(input_folder, output_folder, ip_list, jmirror) File "/Volumes/DATA/TESTCASE/extract_packets.py", line 82, in main extract_packets_by_ip(file_path, ip_to_writer_dict, jmirror) File "/Volumes/DATA/TESTCASE/extract_packets.py", line 52, in extract_packets_by_ip srcip = inet_to_str(ip.src) File "/Volumes/DATA/TESTCASE/extract_packets.py", line 8, in inet_to_str return socket.inet_ntop(socket.AF_INET6, inet) ValueError: invalid length of packed IP address string

Wireshark of course sees the IP addresses no problem:

I can only think that it might be the MPLS info or something that makes dpkt break when it tries to grab the IP info. Not sure though. If someone has run into this before and has a workaround or fix, please let me know. I've attached a packet example.

Also , is there a forum/discord where people are discussing DPKT project ? would be nice to have if not.

packet.pcap.zip

[brifordwylie]

Hi @brightpinefield so I just downloaded your example pcap (thanks for that... makes debugging easy).

In dpkt/examples.. there's a script called print_packets.py.. I just change the path/name of the pcap file and I got this output.. it looks like there's an Ethernet frame wrapped in an Ethernet frame.....the inner Ethernet frame then has an IP/TCP inside it.

> python print_packets.py
Timestamp:  2021-11-06 20:12:01.165416
Ethernet Frame:  a4:7b:2c:21:93:9c 20:e0:9c:50:39:69 34887
Non IP Packet type not supported Ethernet

** Pretty print demo **

Ethernet(
  dst=b' \xe0\x9cP9i',  # 20:e0:9c:50:39:69
  src=b'\xa4{,!\x93\x9c',  # a4:7b:2c:21:93:9c
  type=34887,
  labels=[
    (523475, 0, 254),
    (523467, 0, 255),
  ],
  mpls_labels=[
    MPLSlabel(val=523475, ttl=254),
    MPLSlabel(val=523467, s=1, ttl=255),
  ],
  data=Ethernet(
    dst=b'\x016\xd4\xb2z\x02',  # 01:36:d4:b2:7a:02
    src=b'\x17h\x81\x00\x04\xdb',  # 17:68:81:00:04:db
    type=2048,
    data=IP(
      v=4,
      hl=5,
      tos=0,
      len=52,
      id=0,
      rf=0,
      df=1,
      mf=0,
      offset=0,
      ttl=63,
      p=6,  # TCP
      sum=21762,  # 0x5502
      src=b'\xc0\xa8\x01d',  # 192.168.1.100
      dst=b'\xc0\xa8\x01e',  # 192.168.1.101
      opts=b'',
      data=TCP(
        sport=57469,
        dport=443,
        seq=3130810686,
        ack=3204377710,
        off=8,
        flags=16,  # ACK
        win=41358,
        sum=20594,  # 0x5072
        urp=0,
        opts=b'\x01\x01\x08\n@0\xe9\x8al\x1b^\xa2',
      )  # TCP
    )  # IP
  )  # Ethernet
)  # Ethernet

[brifordwylie]

You can modify the dpkt/examples/print_packets.py code like so to get the Ethernet frame within frame...

 22         # Unpack the OUTER Ethernet frame (mac src/dst, ethertype)
 23         eth_outer = dpkt.ethernet.Ethernet(buf)
 24         print('Ethernet Frame: ', mac_to_str(eth_outer.src), mac_to_str(eth_outer.dst), eth_outer.type)
 25
 26         # Now get the INNER Ethernet frame (mac src/dst, ethertype)
 27         eth = eth_outer.data
 28         print('Ethernet Frame: ', mac_to_str(eth.src), mac_to_str(eth.dst), eth.type)

              # Normal IP/TCP/whatever on 'eth'

[brightpinefield]

ahhh thank you Brian. I was told that the pcaps we received were run through stripe to remove the MPLS encapsulation. I guess when it did that, it created a second ethernet frame. I guess I have to figure out a way to code around this. if anyone has some suggestions, I'd appreciate. thank you! <3

[brifordwylie]

I think code snippet above might get you started.. closing the ticket for now.. if there's a follow up feel free to reopen.