ipv6

Zeek
1

Hi,
1.any documentation how to use Bro to read and analyze
  ipv6 traces?
2.I use Bro-1.4 install from FreeBSD ports by add
   --enable-brov6 to CONFIGURE_ARGS=
  but bro fail to read ipv6 traces.
3.does bro can read ip6 multicast traces?

with best regards,

-dikshie-

2

2.I use Bro-1.4 install from FreeBSD ports by add
  --enable-brov6 to CONFIGURE_ARGS=
but bro fail to read ipv6 traces.

Make sure that you set your capture filter to include ipv6 traffic. It's not set to include it by default. From the command line you can do -f"ip and ip6" to include all ipv4 and ipv6 traffic.

3.does bro can read ip6 multicast traces?

I don't see why it would have any trouble with multicast.

   .Seth

3

Seth Hall wrote:

2.I use Bro-1.4 install from FreeBSD ports by add
  --enable-brov6 to CONFIGURE_ARGS=
but bro fail to read ipv6 traces.

Make sure that you set your capture filter to include ipv6 traffic.
It's not set to include it by default. From the command line you can do
-f"ip and ip6" to include all ipv4 and ipv6 traffic.

i use tcpdump to capture packet.
#tcpdump -c 10000 -s 1500 -w ip6.pcap -nvvi em2 ip6
#tcpdump -s 1500 -nvv -w tcp6.pcap -r ip6.pcap tcp
#bro -r tcp6.pcap

1231818666.514747 weird: spontaneous_FIN

there are no *.log files (conn.log, etc).

3.does bro can read ip6 multicast traces?

I don't see why it would have any trouble with multicast.

#tcpdump -w multicast.pcap -c 100000 -s 1500 -nvvi em2 ip6 multicast
#bro -r multicast.pcap

1231827825.806499 weird: bad_UDP_checksum

there are no *.log files.

with best regards,

-dikshie-

4

1.any documentation how to use Bro to read and analyze
  ipv6 traces?

Nothing extra is needed other than --enable-brov6.

Note though that Bro doesn't correctly deal with packets that have options
(this is a BPF/pcap limitation, rather than something specific to Bro).

2.I use Bro-1.4 install from FreeBSD ports by add
   --enable-brov6 to CONFIGURE_ARGS=
  but bro fail to read ipv6 traces.

As usual, reports of failures work much better if you include a trace and
command-line invocation that demonstrates the problem, so we can try to
reproduce it.

3.does bro can read ip6 multicast traces?

It should be able to read them (as UDP, if that's what they are), but
doesn't do any interesting analysis on them.

    Vern

5

Hi,
Bro v1.4.6 with ipv6 compiled works good, small example:
  ./bro146ipv6 -r ipv6_http.pcap -f 'ip6' bro.init mt
conn.log:
  1186341404.189852 0.029609 2001:6f8:102d:0:2d0:9ff:fee3:e8de 2001:6f8:900:7c0::2 http 59201 80 tcp 240 2259 SF X %1
http.log:
  1186341404.199471 %1 start 2001:6f8:102d:0:2d0:9ff:fee3:e8de:59201 > 2001:6f8:900:7c0::2:80
  1186341404.204585 %1 GET / (200 "OK" [2121] cl-1985.ham-01.de.sixxs.net)
Regards
Rmkml
Crusoe-Researches.com

6

Try running with the conn.bro script...

#bro -rtcp6.pcap -f "ip6 or ip" conn

   .Seth

7

#bro -r tcp6.pcap

1231818666.514747 weird: spontaneous_FIN

there are no *.log files (conn.log, etc).

Well, you haven't listed a script to process it with. Per the private
note I just sent you,

  bro -f ip6 -r tcp6.pcap mt

will generate the usual log files. (I overlooked -f ip6 - thanks, Seth!)

    Vern