[tcpdump-workers] Libpcap: BPF filter for ipv6 tunnel
Hi, I have smtp traffic over ipv6 tunneled in ipv4. .ip->ipv6->tcp->smtp How can we set bpf to filter smtp in ipv6 in ipv4 tunnel traffic? I have tried with ip protochain 0x06 it is not working.(libpcap.0.9.8). Thanks, ./ram Sent from my iPad- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Warning on enabling ip6 protochain 6
Is there any way other than ip6 protochain 6 to filter ipv6 traffic with extension headers and tcp ? Sent from my iPad On Aug 5, 2011, at 1:04 AM, Guy Harris wrote: > > On Aug 4, 2011, at 9:42 PM, ramkumar p wrote: > >> If we specify "ip6 tcp port 25 " does this also filter the traffic with IPv6 >> and extension headers like Routing, Fragment,hop and destination options >> etc... and tcp port 25 > > No. > >> or it filters only ipv6 traffic without extension >> headers and tcp port 25 > > Yes. > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Warning on enabling ip6 protochain 6
Hi, Can we expect any packet drop by the kernel due to this warning? If so, what kind of packets would kernel drop? Thanks, ./ram On Aug 8, 2011, at 4:24 AM, Darren Reed wrote: > On 6/08/11 11:22 PM, Guy Harris wrote: >> ... >> For "ip4 protochain", the only protocol type that needs special treatment is >> AH; can there be AH-within-AH? If so, that'd need a different instruction, >> otherwise, unless I'm missing something, there's no need for a loop. > > There's IP in IP (proto #4) and AH (#51), although I'm not sure how common IP > in IP is today. > > Darren > > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Warning on enabling ip6 protochain 6
How much percentage of traffic in real world scenarios would these kind (ipv6 chain)of packets consist? Thanks, ./ram On Aug 8, 2011, at 7:44 PM, Guy Harris wrote: > > On Aug 8, 2011, at 6:22 PM, ramkumar.parana...@gmail.com wrote: > >> Can we expect any packet drop by the kernel due to this warning? > > If a lot of the traffic on your network isn't TCP, so that a lot of traffic > would've been discarded by the filter if it could've been run in the kernel, > more traffic might be dropped than if the kernel could have done the > filtering. > >> If so, what kind of packets would kernel drop? > > Packets that arrive when the buffer for the PF_PACKET socket is full. That > could be *any* kind of traffic, whether it's TCP or not. > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Warning on enabling ip6 protochain 6
"Ip6 protochain 6 and tcp port 25 and net 10.1.1.0 " would filter packets ipv6 with extension hdrs and tcp port 25 and which belongs to network 10.1.1.0? Can we use other filters along with ip6 protochain? Thanks, ./ram On Aug 9, 2011, at 12:39 AM, Guy Harris wrote: > > On Aug 8, 2011, at 10:56 PM, ramkumar.parana...@gmail.com wrote: > >> How much percentage of traffic in real world scenarios would these kind >> (ipv6 chain)of packets consist? > > It depends on the scenario. If 50% of the traffic on your network is > TCP-over-IPv6 traffic, then 50%. :-) > > Or, to put it another way, I doubt I can give you the answer you're probably > really looking for, i.e. the answer to "how much of a problem will this be?", > as it depends on the traffic your network. How much of it is TCP-over-IPv6 > traffic? The *rest* of the traffic will be the problem, as that's the > traffic that could have been rejected had "ip6 protochain 6" been implemented > in the kernel with e.g. a magic IPv6 protochain BPF instruction, but now has > to be handed up to userland to be rejected in userland.- > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Ip6 protochain
> Ip6 protochain 6 and tcp port 25 and net 2001:0db8:0:1::/64 would filter > packets ipv6 with extension hdrs and tcp port 25 and which belongs to > network? Can we use tcp port and networks along with ip6 protochain? If available, please share me the pcaps with ipv6 header chain and tcp. Thanks, ./ram- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Ip6 protochain
Hi, Any info regarding the below request? Thanks, ./ram On Aug 11, 2011, at 6:31 PM, ramkumar.parana...@gmail.com wrote: > >> Ip6 protochain 6 and tcp port 25 and net 2001:0db8:0:1::/64 would filter >> packets ipv6 with extension hdrs and tcp port 25 and which belongs to >> network? > > Can we use tcp port and networks along with ip6 protochain? > > If available, please share me the pcaps with ipv6 header chain and tcp. > > Thanks, > ./ram - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
