On Sep 16, 2008, at 6:01 PM, Rachel McConnell wrote:
I've been using WIreshark for some time in a very limited manner, to
check the content & headers of web sites I develop. Lately I've
encountered a need to filter for ipv6 addresses. According to
http://www.wireshark.org/docs/man-pages/wireshark.html, Wireshark
supports ipv6 addresses. I'm having trouble finding docs that seem
authoratative on the syntax of the capture or display filters but for
a capture filter I read that simply "ip6" should work.
It should work *if* the version of libpcap on the system you're using
supports IPv6.
On my
installation I get this error:
That string isn't a valid capture filter (ip6 not supported).
See the User's Guide for a description of the capture filter syntax.
For a display filter, I get a happy green background on "ipv6 eq
fe80::216:cbff:fe96:b18a",
"Green" means "syntactically valid", not "does what you want". :-)
The expression that should do what you want is
ipv6.addr eq fe80::216:cbff:fe96:b18a
I.e., you want to check whether a packet has an IPv6 source or
destination address of fe80::216:cbff:fe96:b18a; "ipv6" doesn't stand
for an IPv6 address, it stands for the entire IPv6 protocol (and I'm
not even sure what comparing "ipv6" to something should mean, unless
it's comparing the entire IPv6 header against the specified string).
Running on Darwin 8.11.1 (MacOS 10.4.11), with libpcap version 0.9.8.
Are you using the libpcap that comes with Tiger, or did you build your
own version of libpcap? I think the version that comes with Tiger
supports IPv6; try the command "tcpdump -d ip6" and see what it prints.
