tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scanning IP6 packets

From: Guy Harris <guy () alum mit edu>
Date: Wed, 13 Nov 2013 00:15:02 -0800

On Nov 12, 2013, at 7:57 PM, "Steve" <steve () iwwd com> wrote:


How can I get a working filter to capture the data I need?


Modify the code in libpcap's gencode.c so that the comment in gen_load():

                /*
                 * The offset is relative to the beginning of
                 * the transport-layer header.
                 *
                 * Load the X register with the length of the IPv4 header
                 * (plus the offset of the link-layer header, if it's
                 * a variable-length header), in bytes.
                 *
                 * XXX - are there any cases where we want
                 * off_nl_nosnap?
                 * XXX - we should, if we're built with
                 * IPv6 support, generate code to load either   
                 * IPv4, IPv6, or both, as appropriate.
                 */

(in particular, the last XXX part) no longer applies.

Or write your own filter expression that looks at the link-layer header to detect IPv6 packets, skips past the IPv6 
header (you won't be able to handle extension headers, as that involves looping, and the libpcap filter language 
doesn't support that), and then loads the appropriate value from the TCP header based on that.

There is no easy solution.  Sorry.
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: