LISP dissector for Wireshark

This page is the home of an effort to develop a complete dissector plugin for the Locator/ID Separation Protocol (LISP) within the Wireshark network analyzer. Work started against the 1.2.x branch of Wireshark, followed by the 1.4.x branch, with version 20110422 of the patch being accepted for inclusion into the 1.6.x branch. A second upstream submission was version 20120819, which is now part of the 1.9.x development branch, and will be released in the 1.10.x stable series.

Development of the dissector is still active after upstream inclusion, with new features and bugfixes showing up on this page first. If you are not interested in features that were added after version 20110422, just grab the latest stable source or binary package directly from the official Wireshark download page (or if your OS has package management, use the included package, as long as it's version 1.6.0 or higher). If you want the features and fixes added between versions 20110422 and 20120819, you still have the option of not compiling from source on Windows and on the Mac, by using the official automated builds. And if you want the latest and greatest, follow the steps below, and keep checking back to this page. See contact info at the bottom of the page if you want to receive updates.

Packet dissection is based on draft-ietf-lisp-23, draft-farinacci-lisp-lcaf-10, and draft-ermagan-lisp-nat-traversal-01.

Source Code

The dissector used to be released as a patch against mainline. Version 20120819 was the last in patch form, from now on there will be no more point releases. Rather, you will be able to download the latest version of the packet-lisp.c file, which implements the LISP control packet dissector. Since the upstream inclusion no Makefiles need to be modified, all you need to do is overwrite this file, making patching unnecessary.

Step-by-step instructions:

  1. Download the latest stable source tarball from the Wireshark download page.
  2. Download the latest revision of the dissector code.
  3. Extract the Wireshark source.
  4. Overwrite epan/dissectors/packet-lisp.c with the file downloaded in step 2.
  5. Build from source as you normally would. Note that you can personalize how Wireshark is compiled on your system, see ./configure --help for an extensive list of options. Refer to the Wireshark documentation for more help on how to build from source.
  6. (Optional) Check revision history, to know what's new.

The above steps should translate roughly to the following commands:

     wget http://www.wireshark.org/download/src/wireshark-1.8.x.tar.bz2
     wget http://raw.github.com/ljakab/lisp-dissector/master/packet-lisp.c
     tar xvf wireshark-1.8.x.tar.bz2
     cp packet-lisp.c wireshark-1.8.x/epan/dissectors
     cd wireshark-1.8.x
     ./configure --help
     ./configure
     nice make -j4
     sudo make install

Caveats

You should be aware that capturing on the same machine that generates the packets you are interested in may cause issues with checksums, due to hardware offloading to the NIC. For example, if you use a Linux host to generate Map-Request messages, and capture those packets with Wireshark on the same host, UDP checksums may be shown as incorrect (except if you used raw UDP sockets to generate them). You may solve this by disabling checksum offloading on your NIC, if this operation is supported. Using ethtool, you can check for offload status:

   ethtool --show-offload eth0
If transmit checksum is on, you can disable it by running:
   ethtool --offload eth0 tx off
For more information, see the Wireshark wiki on this topic.

Version history (discontinued)

Screenshots

LISP encapsulated data packet

Dissecting Data Packets

LISP control packet

Dissecting Control Packets

Contact

For bug reports, constructive criticism, and contributing back improvements, or if you wish to be notified when a new version is available, please send email to Lori Jakab - ljakab@ac.upc.edu. If you report a bug, please provide a capture file that reproduces it.

Important updates are announced on the author's Twitter and Identi.ca feeds. You can also find him hanging out in #lisp-networking and #lispmob on FreeNode (look for Lori).