giving IPv6 capture filter support

Bindiya_V_S · April 3, 2007, 5:32am

Hello all,
I want BRO to detect IPv6 packets. I tried giving capture
filter as
redef capture_filters = { ["tcp"]= "tcp", ["udp"] = "udp",
["icmp"] = "icmp", ["ipv6"] = "ether proto 0x86dd"};

BRO is not complaining, but the packets are not even
recognised at Sesssions.cc NextPacket.

Thank you
Bindiya

Julien_Desfossez · April 3, 2007, 11:55am

Hello,

You can use the following syntax to add IPv6 support :

redef capture_filters += {
["ipv6"] = "ip6"
};

With that filter, Bro will capture all IPv6 traffic.

Sessions.cc recognises TCP and UDP over IPv6 if there is no extension header.
ICMPv6 has a different protocol number than ICMP (v4).
So you must replace the

if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP && proto != IPPROTO_ICMP ) {...}

in DoNextPacket by :

if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP && proto != IPPROTO_ICMP && proto != IPPROTO_ICMPV6) {...}

So your packet won't be dumped.

With that, you'll see in your Weird logs something like "unknow protocol 58" when you ping6 for example.

Because the "switch (proto) {}" doesn't look for IPPROTO_ICMPV6.

HTH,

Julien Desfossez

Bindiya V S a écrit :

Topic		Replies	Views
Bro Digest, Vol 113, Issue 31 Zeek	2	63	May 6, 2022
Progress in the IPv6 support Zeek	4	199	May 6, 2022
help for adding new packet filter Zeek	3	82	May 6, 2022
Bro restrict filters question Zeek	4	118	May 6, 2022
ipv6 Zeek	7	147	May 6, 2022

giving IPv6 capture filter support

Related topics