Network Monitor Discards MPLS Encapsulated Packets


Article ID: 160148


Updated On:


Data Loss Prevention Network Monitor


As designed, the Network Detection Server will discard packets encapsulated by MPLS (MultiProtocol  Label Switching).

PacketCapture will discard these packets at the driver level so it will appear that the Network Detection Server is not seeing traffic.

See for a detailed description of MPLS.



There are a couple of ways to find out if the traffic being sent to the monitor is encapsulated in MPLS format:


1.        The quickest way is to get a Wireshark capture and check the Protocol Hierarchy.  Go to Statistics menu -> Protocol Hierarchy.

If a large percentage of the packet has MultiProtocol Label Switching Header, then these packets are being discarded by packetcapture and not seen by the monitor.   In the example below, 99.86% of packets are MPLS encapsulated.  This means 99.86 of the packets during this capture were discarded by packetcapture.


2.   Another way to check for MPLS is to filter the Wireshark capture for eth.type == 0x8847.  Again the packets encapsulated by MPLS are being discarded.  This may be a good way to check Network Monitors that are partially seeing traffic to see if some of the packets are being encapsulated.