Need help with BPF Filter
Results 1 to 4 of 4

Thread: Need help with BPF Filter

  1. #1
    Member
    Join Date
    Mar 2004
    Posts
    94

    Need help with BPF Filter

    From the "use it or lose it" department....

    I'm trying to use tcpdump to view *only* IPv6 traffic. The command I am using looks like this...
    tcpdump -r filename 'ip[0] & 0xf0 = 6'

    I am getting no results. Changing the 6 to a 4 to see IPv4 traffic also yields no results so I know I must have something wrong. Just to cover all the bases: yes, the file is a tcpdump file and yes I can see records if I leave the BPF filter off.

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Try this maybe

    Hello,

    Now I'm not a expert at this but perhaps you have to try this :
    tcpdump -r filename ip[0] & 0xf0 != 0x40

    I believe this filters out the IPv4 packets so you're left with the others ... maybe

    Let me know anyway ..
    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    Member
    Join Date
    Mar 2004
    Posts
    94
    Cemetric: that didn't work either.

    I did find (through the help of 'man tcpdump') that I should be searching for protocol ip6 instead of ip which really means ipv4.

    Seems odd that BPF filters can look at the lower order nibble of that byte, but not the higher order nibble?

  4. #4
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    I asked my collegeau about it and he also thinks it's like I said ...we tested it and it works ...then again we do not really use IPv6 yet so it's done in the lab.

    I have a text here that states :

    The problem is that it discards the low-order bits, as it
    should do, but you then have to compare the *high-order* bits, with

    ip[0] & 0xf0 != 0x40

    The mask operation does *NOT* move the high-order bits down; it leaves
    them where they are.

    I kow it came of the internet somewhere but I don't know from where exactly , I'll ask him tommorow.

    Also I found a bit of interesting stuff on the net ..try this link maybe it helps ?

    Gr33tz
    Back when I was a boy, we carved our own IC's out of wood.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •