I am using following filter expression to sniff IPv4/IPv6 SYN/ACK/FIN/RST packets. This works fine using tcpdump for IPv4 however for IPv6 I dont see any thing coming
tcp port 80 and (tcp[tcpflags] & (tcp-syn|tcp-ack|tcp-fin|tcp-rst) != 0)
Add a comment
|
1 Answer
Currently, TCPDump (and Wireshark) do not support embedded protocol BPF filters under IPv6. In order to find these packets, you would have to use BPF offsets and masks.
For example:
ip6 proto tcp and ip6[13+40]&0x17!=0
Here we are checking to see if TCP is the embedded protocol in the IPv6 header. From there, we are going 13 bytes into the TCP header and adding 40 bytes since we are referencing it from the start of the ip6 header. I'm assuming that you know already that 0x17 would be the mask to match what you have written (SYN|ACK|FIN|RST).
While there is a protochain option which can find TCP anywhere in the protocol chain, it really isn't practical to use BPF to track down which "Next Header" contains TCP (it should be the last one).
To add the port to the above, you would just add:
and ip6[(40+2):2]=80
answered Dec 19, 2017 at 15:29
-
1Just rereading this years later.... In case it isn't clear, you do not need to use "40+13" or "40+2"... I recommend that people do this so that it is clear to someone who is passingly familiar with the protocol headers that you are going to the end of the IP6 header (40) and then going 13 more bytes (into the TCP header.). You could obviously write this as "tcp[53]", but that is more opaque and looks magical. Commented Aug 26, 2020 at 12:28