LISP dissector for Wireshark

This page is the home of an effort to develop a complete dissector plugin for the Locator/ID Separation Protocol (LISP) within the Wireshark network analyzer. Work started against the 1.2.x branch of Wireshark, followed by the 1.4.x branch, with version 20110422 of the patch being accepted for inclusion into the 1.6.x branch. Development of the patch is still active after upstream inclusion, with new features and bugfixes showing up on this page first. If you are not interested in that, just grab the latest stable source or binary package directly from the official Wireshark download page. Updates will eventually make it upstream, but delays may be significant. So if you want the latest and greatest, keep checking back to this page. See contact info at the bottom of the page if you want to receive updates.

Packet dissection is based on draft-ietf-lisp-22.

Source Code

We offer the source code of the LISP packet dissector in three ways:

a patch to be applied to the Wireshark 1.6.x source tree;
the full sources of Wireshark 1.6.6, with the patch already applied; and
a git repository with the files you need to copy into the Wireshark source tree. This is where development happens, new stuff shows up here first. For example, there is basic support for Instance IDs currently in the lcaf branch of the repository that is not included in the above patch (yet).

Current versions of the patch are developed against the 1.6.x stable branch, which already supports LISP. If you need to use the patch on an older branch, please use the files from the git repository. To apply the patch, use the patch command in the top-level directory of the extracted vanilla (or distribution patched) wireshark tree:

   $ patch -p1 --dry-run < ../wireshark-lisp_20120315.patch
   $ patch -p1 < ../wireshark-lisp_20120315.patch

After the patch is applied (or if you downloaded and extracted the already patched version) you can build Wireshark by executing the following commands in the top-level directory:

   $ ./configure
   $ make
   $ sudo make install

Note that you can personalize how Wireshark is compiled on your system, see ./configure --help for an extensive list of options. Refer to the Wireshark documentation for more help on how to build from source.

You should be aware that capturing on the same machine that generates the packets you are interested in may cause issues with checksums, due to hardware offloading to the NIC. For example, if you use a Linux host to generate Map-Request messages, and capture those packets with Wireshark on the same host, UDP checksums may be shown as incorrect (except if you used raw UDP sockets to generate them). You may solve this by disabling checksum offloading on your NIC, if this operation is supported. Using ethtool, you can check for offload status:
   ethtool --show-offload eth0
If transmit checksum is on, you can disable it by running:
   ethtool --offload eth0 tx off
For more information, see the Wireshark wiki on this topic.

Version history

20120315
- Feature: support for new NAT traversal specific control packets (Info-Request/Info-Reply) and changes to existing types, as defined in draft-ermagan-lisp-nat-traversal-00
- Some code cleanup
- Some small bug fixes
20110622
- Feature: show if a Map-Request is SMR, SMR-invoked, RLOC-Probe, or sent by a P-ITR in Info column
- Feature: show if a Map-Reply is an RLOC-Probe response in Info column
20110422
- Feature: Map-Notify support
- Feature: show EID prefix contained within control packet in Info column (idea by Jesper Skriver)
20110329
- Code cleanup in preparation of upstream submission
- Reserved bits are now shown everywhere
- Support for PITR and SMR-invoked bits in Map-Requests (-11)
- Map-Reply record at the end of Map-Request packets is now dissected when M bit is set
- Mapping version is now shown
- Action for mapping is now shown
- Bugfix: Local bit is interpreted for IPv6 locators as well
- Bugfix: Map-Register Proxy-Map-Reply flag is now correctly interpreted
- Branch 1.2.x unsupported
20101020
- Better handle locators and prefixes with unexpected AFIs in Map-Replies
20100812
- Fixed issue of previous version skipping the Source-EID-AFI field and incorrectly identifying ITR-RLOC 1 as being Source-RLOC
- Added display filter for Source-EID-AFI
20100725
- Updated for the new -07 control packet format
- Map-Request flags are now decoded
- Mapping records have their sub-tree with details, highlighting individual fields
20100504
- Initial version

Screenshots

LISP encapsulated data packet

LISP control packet

Contact

For bug reports, constructive criticism, and contributing back improvements, or if you wish to be notified when a new version is available, please send email to Lori Jakab - ljakab@ac.upc.edu. If you report a bug, please provide a capture file that reproduces it.

Important updates are announced on the author's Twitter and Identi.ca feeds. You can also find him hanging out in #lisp-networking and #lispmob on FreeNode (look for Lori).