tcpdump mailing list archives
Re: SPAM-LOW: Re: Scanning IP6 packets
From: "Steve" <steve () iwwd com>
Date: Thu, 14 Nov 2013 13:23:52 +1100
Hi Guy, Thanks for the reply. I tried using the below filter which did pick up some request packets, but (likely as a result of the added header extensions) it was missing some. (ip6[((ip6 [32:1] & 0xf0) >> 2):4] = 0x47455420 or ip6 [((ip6 [32:1] & 0xf0)
2):4] = 0x504f5354)
As a result, I've just modified my scripts to simply pick up all port-80 data on ipv6 and scan the packet for what I'm looking for. Takes a bit more CPU but gives me the result I was looking for. Thanks very much for your help. Steve. -----Original Message----- From: Guy Harris [mailto:guy () alum mit edu] Sent: Wednesday, 13 November 2013 7:15 PM To: Steve Cc: tcpdump-workers () lists tcpdump org Subject: SPAM-LOW: Re: [tcpdump-workers] Scanning IP6 packets On Nov 12, 2013, at 7:57 PM, "Steve" <steve () iwwd com> wrote:
How can I get a working filter to capture the data I need?
Modify the code in libpcap's gencode.c so that the comment in gen_load(): /* * The offset is relative to the beginning of * the transport-layer header. * * Load the X register with the length of the IPv4 header * (plus the offset of the link-layer header, if it's * a variable-length header), in bytes. * * XXX - are there any cases where we want * off_nl_nosnap? * XXX - we should, if we're built with * IPv6 support, generate code to load either * IPv4, IPv6, or both, as appropriate. */ (in particular, the last XXX part) no longer applies. Or write your own filter expression that looks at the link-layer header to detect IPv6 packets, skips past the IPv6 header (you won't be able to handle extension headers, as that involves looping, and the libpcap filter language doesn't support that), and then loads the appropriate value from the TCP header based on that. There is no easy solution. Sorry. _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Scanning IP6 packets Steve (Nov 12)
- Re: Scanning IP6 packets Guy Harris (Nov 13)
- Re: SPAM-LOW: Re: Scanning IP6 packets Steve (Nov 13)
- Re: Scanning IP6 packets Darren Reed (Nov 14)
- Re: Scanning IP6 packets Michael Richardson (Nov 14)
- Re: Scanning IP6 packets Darren Reed (Nov 14)
- Re: Scanning IP6 packets Michael Richardson (Nov 14)
- Re: Scanning IP6 packets Guy Harris (Nov 13)