THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

BPF Byte filter for VLAN-IPv6-UDP stack

  • retag add tags

Hi Guys,

I'm struggling with BPF filter to match 2 Bytes inside UDP payload for the next stack: Ethernet-VLAN-IPv6-UDP.

So I make the next expression:

vlan and udp[8:2] = 0x1111    (1)

For some reason it does not work, no packet is matched. I make a step back and delete Byte matching part:

vlan and udp    (2)

This one works correctly matching all UDP inside IPv6.

I then try the first one (with Byte offset), but on Ethernet-VLAN-IPv4-UDP - and it works again.

So I checked compiled BPF and I see:

  • For vlan and udp:

image description

There is a check for v4 and v6.

  • For vlan and udp[8:2] = 0x1111

image description

There is no more check for v6.

Am I missing something? I'd like to avoid going down the stack and making Ethernet Byte filter with big offsets.

A good file to play with is in Johannes Weber blog:

https://weberblog.net/ipv6-upper-laye...

Thanks,

Vlad

Packet_vlad's avatar
1.1k
Packet_vlad
asked 2022-04-07 11:44:19 +0000, updated 2022-04-07 11:52:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

pcap-filter.7:

To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, sctp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.)

Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future)

It's been acknowledged but I don't see an open issue tracking it.

expression rejects all packets for IPv6 upper-layer protocol #600
"Closing as resolved (not a bug, but an improvement that remains to be made)."

Better IPv6 support for higher level protocols #864
"Let's close this as a duplicate of #600, which stands for the same problem and was opened much earlier."

Chuckc's avatar
3k
Chuckc
answered 2022-04-07 14:10:55 +0000, updated 2022-04-07 14:22:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Ah, I see now, thanks Chuck!

Packet_vlad's avatar Packet_vlad (2022-04-07 14:20:53 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer