-
May 13th, 2004, 04:22 PM
#1
Need help with BPF Filter
From the "use it or lose it" department....
I'm trying to use tcpdump to view *only* IPv6 traffic. The command I am using looks like this...
tcpdump -r filename 'ip[0] & 0xf0 = 6'
I am getting no results. Changing the 6 to a 4 to see IPv4 traffic also yields no results so I know I must have something wrong. Just to cover all the bases: yes, the file is a tcpdump file and yes I can see records if I leave the BPF filter off.
-
May 13th, 2004, 05:41 PM
#2
Try this maybe
Hello,
Now I'm not a expert at this but perhaps you have to try this :
tcpdump -r filename ip[0] & 0xf0 != 0x40
I believe this filters out the IPv4 packets so you're left with the others ... maybe
Let me know anyway ..
Back when I was a boy, we carved our own IC's out of wood.
-
May 13th, 2004, 06:29 PM
#3
Cemetric: that didn't work either.
I did find (through the help of 'man tcpdump') that I should be searching for protocol ip6 instead of ip which really means ipv4.
Seems odd that BPF filters can look at the lower order nibble of that byte, but not the higher order nibble?
-
May 13th, 2004, 08:06 PM
#4
I asked my collegeau about it and he also thinks it's like I said ...we tested it and it works ...then again we do not really use IPv6 yet so it's done in the lab.
I have a text here that states :
The problem is that it discards the low-order bits, as it
should do, but you then have to compare the *high-order* bits, with
ip[0] & 0xf0 != 0x40
The mask operation does *NOT* move the high-order bits down; it leaves
them where they are.
I kow it came of the internet somewhere but I don't know from where exactly , I'll ask him tommorow.
Also I found a bit of interesting stuff on the net ..try this link maybe it helps ?
Gr33tz
Back when I was a boy, we carved our own IC's out of wood.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|