On Jan 21, 2004, at 7:21 AM, Jeff Weston wrote:
There are no extension headers in these IPv6 packets. They are just
plain 256-byte UDP IPv6 packets (not counting UDP and IPv6 overhead).
"tcpdump -d not port 6000" prints out the following:
(000) ldh [12]
(001) jeq #0x800 jt 2 jf 14
(002) ldb [23]
(003) jeq #0x84 jt 6 jf 4
(004) jeq #0x6 jt 6 jf 5
(005) jeq #0x11 jt 6 jf 14
(006) ldh [20]
(007) jset #0x1fff jt 14 jf 8
(008) ldxb 4*([14]&0xf)
(009) ldh [x + 14]
(010) jeq #0x1770 jt 13 jf 11
(011) ldh [x + 16]
(012) jeq #0x1770 jt 13 jf 14
(013) ret #0
(014) ret #96
It looks as if the version of libpcap with which that version of
tcpdump is running wasn't configured to support IPv6 - versions of
tcpdump linked with versions of libpcap that are so configured would
produce
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 10
(002) ldb [20]
(003) jeq #0x84 jt 6 jf 4
(004) jeq #0x6 jt 6 jf 5
(005) jeq #0x11 jt 6 jf 23
(006) ldh [54]
(007) jeq #0x1770 jt 22 jf 8
(008) ldh [56]
(009) jeq #0x1770 jt 22 jf 23
(010) jeq #0x800 jt 11 jf 23
(011) ldb [23]
(012) jeq #0x84 jt 15 jf 13
(013) jeq #0x6 jt 15 jf 14
(014) jeq #0x11 jt 15 jf 23
(015) ldh [20]
(016) jset #0x1fff jt 23 jf 17
(017) ldxb 4*([14]&0xf)
(018) ldh [x + 14]
(019) jeq #0x1770 jt 22 jf 20
(020) ldh [x + 16]
(021) jeq #0x1770 jt 22 jf 23
(022) ret #0
(023) ret #96
for "tcpdump -d not port 6000".
I just noticed that "tcpdump -i eth1 -n not port 6000" also does not
filter out the traffic correctly (nor does "not dst port 6000").
Yes, it wouldn't handle IPv6 packets in filters, as the libpcap with
which it's linked doesn't handle IPv6.
Also, "tcpdump -i eth1 -n port 6000" captures nothing, as if it's not
recognizing the port correctly.
Same answer.
However, it prints out the port correctly with "not port 6000":
"fec0:108:0:59::7.33001 > fec0:1080:0:59::100.6000: udp 256".
Tcpdump itself, apparently, *was* built with IPv6 support.
After looking into it some more, I have discovered the following:
does not work:
tcpdump, version 3.7.1, libpcap version 0.7
Ethereal, version 0.10.0, libpcap version 0.7
does work:
Ethereal, version 0.9.1.3, libpcap version 0.6
So going off this, perhaps something is wrong with libpcap 0.7?
The libpcap 0.7 with which those versions of tcpdump and Ethereal were
built was probably not configured with IPv6 support; the libpcap 0.6
with which the other version of Ethereal was built was presumably
configured *with* IPv6 support.
I think the default for tcpdump is to configure for IPv6 support, if
available - if IPv6 address<->name resolution support is present, you
have to configure it *not* to have it ("--disable-ipv6"). The default
for libpcap, however, is *not* to configure for IPv6 support; you have
to explicitly specify "--enable-ipv6" when running the configure script
in order to get IPv6 support.
Was 0.6 the version that came with the OS, and did you install libpcap
0.7 on that machine? If so, you might have not have configured 0.7 to
support IPv6.
Download 0.8.1 (that's the current libpcap release), run configure with
the "--enable-ipv6" flag, and compile and install. Then download
tcpdump 3.8.1 (the current tcpdump release), configure, build, and
install. The resulting tcpdump should handle "not port 6000" and "port
6000".
If so, then rebuild Ethereal, linking it with the libpcap you just
installed.
