Re: Tcpdump Expression to get the rst packets for ipv6

[Sake Blok <sake.blok () SYN-bit nl>]

On 30 nov 2010, at 08:46, Abhilash Shastry wrote:

> I am looking out for the expression to get the reset packets for ipv6
> through tcpdump.
>
> At present we are using the below expression for ipv4.
>
> [/usr/sbin/tcpdump -i  eth1 -s 1600 'tcp[13] & 4 != 0]
>
> As mentioned in tcpdump.org site[http://www.tcpdump.org/tcpdump_man.html]
> under the section BUGS, tcp[0] expression will work only on ipv4 and not on
> ipv6 packets, could you please let us know the equivalent expression for
> ipv6 if any. Or could you please let us know your inputs on how to proceed
> further to get the rst packets for ipv6 using tcpdump tool..

The difference between IPv4 and IPv6 headers is that in IPv4, there is a header length value that can be read and 
therefor the IP header can be skipped by calculating the offset. In IPv6, there can be multiple headers in a list. You 
can't calculate the offset, you need to iterate through all headers. The BPF machine is not able to iterate, therefor 
it can't determine where the TCP header is starting.

However, assuming you don't have extra IPv6 headers you could do the calculations yourself. First check whether the 
next header is indeed TCP:

ip6[6] = 6

This will give you all IPv6 packets without additional IPv6 headers and TCP as transport protocol. Now you know the TCP 
header starts at offset ip6[40] (the initial IPv6 header has a length of 40). So the TCP flags are at ip6[53]. Combined:

"ip6[6]=6 && ip6[53]&4!=0"

Hope this helps! 


Met vriendelijke groet,
Kind Regards,

Sake Blok
Consultant / Trainer / Troubleshooter

SYN-bit - Deep Traffic Analysis - http://www.SYN-bit.nl
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.