Snort mailing list archives
Re: Problem capturing packets with IPv6 routing header
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 28 Apr 2010 17:31:41 -0400
Do you have an actual pcap you can submit that contains this traffic? J On Wed, Apr 28, 2010 at 5:04 PM, <scheffler () cs uni-potsdam de> wrote:
Hi, I am currently trying to find out, if it is possible to write a rule that can detect IPv6 Routing Headers of Type 0 (I tested this with an ICMPv6 Echo Request with an additional routing header). In order to determine, if I can use content rules for the detection of the type of the routing headers, I let snort run in packet dump mode. Here I noticed some peculiar behaviour: 1. If the packet has a Routing Header present no output is produced for the ICMP Echo Request packet (look at 04/28-20:49:05.583031 in the attached dump). 2. The following packet shows a whole IPv6 packet, including the full IPv6 header (04/28-20:49:05.585397)! The event marks the receipt of the ICMP Response. However, this dump shows not the response packet, instead it is the full packet content from the 04/28-20:49:05.583031 ICMP-event. So it seems something is broken in the packet decoding if a IPv6-Routing Header is present. Could somebody please look into this problem? Best regards, Thomas snort -dev -i eth1 Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Network Interface eth1 Decoding Ethernet on interface eth1 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.3 IPv6 (Build 124) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 6.6 06-Feb-2006 Not Using PCAP_FRAMES 04/28-20:49:05.548799 0:1E:58:DF:D2:48 -> 33:33:FF:6F:A7:E2 type:0x86DD len:0x56 fd00:0141:0064:0001:0000:0000:0000:affe -> ff02:0000:0000:0000:0000:0001:ff6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:72 00 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF .......A.d....>. FE 6F A7 E2 01 01 00 1E 58 DF D2 48 .o......X..H =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:05.552768 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD len:0x56 fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 -> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:72 60 00 00 00 FD 00 01 41 00 64 00 01 02 16 3E FF `......A.d....>. FE 6F A7 E2 02 01 00 16 3E 6F A7 E2 .o......>o.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:05.583031 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD len:0x56 fd00:0141:0064:0001:0000:0000:0000:affe -> fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:64 TOS:0x0 ID:0 IpLen:40 DgmLen:72 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:05.585397 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD len:0x86 fd00:0141:0064:0001:0216:3eff:fe6f:a7e2 -> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:64 TOS:0x0 ID:0 IpLen:40 DgmLen:120 60 00 00 00 00 20 2B 40 FD 00 01 41 00 64 00 01 `.... +@...A.d.. 00 00 00 00 00 00 AF FE FD 00 01 41 00 64 00 01 ...........A.d.. 02 16 3E FF FE 6F A7 E2 3A 02 00 01 00 00 00 00 ..>..o..:....... FD 00 01 41 00 64 00 01 02 16 3E FF FE 6F A7 E2 ...A.d....>..o.. 80 00 EB 08 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:10.496075 0:16:3E:6F:A7:E2 -> 0:1E:58:DF:D2:48 type:0x86DD len:0x56 fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 -> fd00:0141:0064:0001:0000:0000:0000:affe IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:72 00 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00 .......A.d...... 00 00 AF FE 01 01 00 16 3E 6F A7 E2 ........>o.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/28-20:49:10.496117 0:1E:58:DF:D2:48 -> 0:16:3E:6F:A7:E2 type:0x86DD len:0x4E fd00:0141:0064:0001:0000:0000:0000:affe -> fe80:0000:0000:0000:0216:3eff:fe6f:a7e2 IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:64 40 00 00 00 FD 00 01 41 00 64 00 01 00 00 00 00 @......A.d...... 00 00 AF FE .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ *** Caught Int-Signal Run time prior to being shutdown was 11.444640 seconds =============================================================================== Packet Wire Totals: Received: 3 Analyzed: 6 (200.000%) Dropped: 0 (0.000%) Outstanding: 18446744073709551613 (614891469123651633152.000%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 6 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 6 (100.000%) IP6 EXT: 7 (116.667%) IP6opts: 1 (16.667%) IP6disc: 0 (0.000%) IP4: 0 (0.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 6 (100.000%) ICMP-IP: 1 (16.667%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 6 =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Snort exiting ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Problem capturing packets with IPv6 routing header scheffler (Apr 28)
- Re: Problem capturing packets with IPv6 routing header Joel Esler (Apr 28)
- Re: Problem capturing packets with IPv6 routing header Ryan Jordan (Apr 29)