On Jan 21, 2004, at 7:21 AM, Jeff Weston wrote:
There are no extension headers in these IPv6 packets. They are just plain 256-byte UDP IPv6 packets (not counting UDP and IPv6 overhead).
"tcpdump -d not port 6000" prints out the following: (000) ldh [12] (001) jeq #0x800 jt 2 jf 14 (002) ldb [23] (003) jeq #0x84 jt 6 jf 4 (004) jeq #0x6 jt 6 jf 5 (005) jeq #0x11 jt 6 jf 14 (006) ldh [20] (007) jset #0x1fff jt 14 jf 8 (008) ldxb 4*([14]&0xf) (009) ldh [x + 14] (010) jeq #0x1770 jt 13 jf 11 (011) ldh [x + 16] (012) jeq #0x1770 jt 13 jf 14 (013) ret #0 (014) ret #96
It looks as if the version of libpcap with which that version of tcpdump is running wasn't configured to support IPv6 - versions of tcpdump linked with versions of libpcap that are so configured would produce
(000) ldh [12] (001) jeq #0x86dd jt 2 jf 10 (002) ldb [20] (003) jeq #0x84 jt 6 jf 4 (004) jeq #0x6 jt 6 jf 5 (005) jeq #0x11 jt 6 jf 23 (006) ldh [54] (007) jeq #0x1770 jt 22 jf 8 (008) ldh [56] (009) jeq #0x1770 jt 22 jf 23 (010) jeq #0x800 jt 11 jf 23 (011) ldb [23] (012) jeq #0x84 jt 15 jf 13 (013) jeq #0x6 jt 15 jf 14 (014) jeq #0x11 jt 15 jf 23 (015) ldh [20] (016) jset #0x1fff jt 23 jf 17 (017) ldxb 4*([14]&0xf) (018) ldh [x + 14] (019) jeq #0x1770 jt 22 jf 20 (020) ldh [x + 16] (021) jeq #0x1770 jt 22 jf 23 (022) ret #0 (023) ret #96
for "tcpdump -d not port 6000".
I just noticed that "tcpdump -i eth1 -n not port 6000" also does not filter out the traffic correctly (nor does "not dst port 6000").
Yes, it wouldn't handle IPv6 packets in filters, as the libpcap with which it's linked doesn't handle IPv6.
Also, "tcpdump -i eth1 -n port 6000" captures nothing, as if it's not recognizing the port correctly.
Same answer.
However, it prints out the port correctly with "not port 6000": "fec0:108:0:59::7.33001 > fec0:1080:0:59::100.6000: udp 256".
Tcpdump itself, apparently, *was* built with IPv6 support.
After looking into it some more, I have discovered the following:
does not work: tcpdump, version 3.7.1, libpcap version 0.7 Ethereal, version 0.10.0, libpcap version 0.7
does work: Ethereal, version 0.9.1.3, libpcap version 0.6
So going off this, perhaps something is wrong with libpcap 0.7?
The libpcap 0.7 with which those versions of tcpdump and Ethereal were built was probably not configured with IPv6 support; the libpcap 0.6 with which the other version of Ethereal was built was presumably configured *with* IPv6 support.
I think the default for tcpdump is to configure for IPv6 support, if available - if IPv6 address<->name resolution support is present, you have to configure it *not* to have it ("--disable-ipv6"). The default for libpcap, however, is *not* to configure for IPv6 support; you have to explicitly specify "--enable-ipv6" when running the configure script in order to get IPv6 support.
Was 0.6 the version that came with the OS, and did you install libpcap 0.7 on that machine? If so, you might have not have configured 0.7 to support IPv6.
Download 0.8.1 (that's the current libpcap release), run configure with the "--enable-ipv6" flag, and compile and install. Then download tcpdump 3.8.1 (the current tcpdump release), configure, build, and install. The resulting tcpdump should handle "not port 6000" and "port 6000".
If so, then rebuild Ethereal, linking it with the libpcap you just installed.
_______________________________________________ Ethereal-dev mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-dev
