Wireshark-users: Re: [Wireshark-users] Sniffing LACP traffic with wireshark
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 30 May 2014 15:12:28 -0700
On May 30, 2014, at 8:52 AM, Kevin Wilson <wkevils@xxxxxxxxx> wrote:

> I have wireshark-1.10.7-1.
> when I sniff LACP (Link Aggregation Control Protocol) traffic, I see "LACP"
> in the prtocol column, and the ethertype is 0x8809 (Slow Protocols (IEEE 802.3))

That's the Ethertype for a collection of protocols, not just for LACP.

> However, I need to sniff LACP traffic also from the command line with tshark
> (on Linux).
> 
> I see:
> tshark -d 0x8809 -i em1
> I get this error:
> tshark: Parameter "0x8809" doesn't follow the template
> "<layer_type>==<selector>,<decode_as_protocol>"
> tshark: Unknown layer type -- 0x8809

The syntax for the "-d" argument doesn't just take an Ethernet type; it takes a "layer type", which would be "ethertype", a value for the "layer type", and a protocol.  It's the command-line equivalent of "Decode As..." in the GUI; if you don't need to use "Decode As..." in the GUI, you don't need to use "-d" in TShark.

> And when running "tshark -d", which displays the list of all protocols,
> I don't see the LACP protocol.

Perhaps confusingly, not all values in the "Protocol" column correspond to "protocols" registered within Wireshark's dissector engine.  In this particular case, all of the "slow protocols", with Ethernet type 0x8809, are registered as "Slow Protocols" or "802.3 Slow protocols", and the dissector for the slow protocols does an internal case statement, based on the subtype, to call dissectors for the individual protocol type.  The dissectors for the individual protocol types set the column.

So there's no "registered protocol" in Wireshark named LACP, but there is code that sets the column to "LACP".

We should probably add a dissector table for the "slow protocol" subtype, and have the dissectors for various "slow protocols" register in that table, so there's an LACP "registered protocol".

> It is strange that with the wireshark GUI client, 0x8009 is recognized as LACP,
> while "thsark -d" does not show the LACP.

See above.

> Please adive, how can I sniff with tshark client with filtering for 0x8009
> Ehtertype (LACP). (with -d ethertype==...)

"-d" doesn't do filtering, it does "Decode As...".  You don't need "Decode As..." or "-d" to get Wireshark/TShark to recognize traffic with an ethertype of 0x8809 as "slow protocol" traffic or to get "slow protocol" traffic with a subtype of  0 to be recognized as LACP traffic.

If you want to do capture filtering, than, as Jaap said, you use the same filter syntax as in Wireshark - "ether proto 0x8809", although that will capture traffic for *all* slow protocols, not just LACP.