Re: BPF filter for tcp syn for ipv6

[sthaug () nethelp no]

> > I want to filter TCp syn packet which is coming using IPv6 addresses. I am not able to find the bpf filter for that 
> > can somebody help me to find the right BPF filter
> >
> >
> > I have already tried" tcp[tcpflags] & (tcp-syn) != 0" which doesn't work for IPv6 traffic.
> >   
>
> What does "doesn't work for IPv6 traffic" mean?

The "tcp[...]" expression doesn't work for IPv6. This is documented in
the pcap-filter man page:

expr relop expr
       True  if the relation holds, where relop is one of >, <, >=, <=,
       =, !=, and expr is an arithmetic expression composed of  integer
       constants  (expressed  in  standard C syntax), the normal binary
       operators [+, -, *, /, &, |, <<, >>],  a  length  operator,  and
       special  packet  data  accessors.  Note that all comparisons are
       unsigned, so that, for example, 0x80000000 and 0xffffffff are  >
       0.  To access data inside the packet, use the following syntax:
            proto [ expr : size ]
       Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp,
       rarp, tcp, udp, icmp, ip6 or radio, and indicates  the  protocol
       layer  for  the  index  operation.  (ether, fddi, wlan, tr, ppp,
       slip and link all refer to the link layer. radio refers  to  the
       "radio  header"  added to some 802.11 captures.)  Note that tcp,
--->>> udp and other upper-layer protocol types only apply to IPv4, not
       IPv6 (this will be fixed in the future).  The byte offset, rela-
       tive to the indicated protocol layer, is given by expr.  Size is
       optional  and  indicates  the  number  of  bytes in the field of
       interest; it can be either one, two, or four,  and  defaults  to
       one.   The  length operator, indicated by the keyword len, gives
       the length of the packet.

Steinar Haug, Nethelp consulting, sthaug () nethelp no
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.