Comments on: ICMPv6 Challenge – Hints

By: Slezicz

Slezicz — Fri, 07 May 2010 20:11:44 +0000

Hi, this function is not supported for upper layers.
So if you like to filter icmp6 packtes by is type and you know that IPv6 header is 20 bytes you could simply do ip6[21] & 130 !=0. Means first byte after IPv6 header, and there should be ICMPv6 header I’m not sure is this will work if next header will be included.

By: Steinar H. Gunderson

Steinar H. Gunderson — Fri, 11 Dec 2009 00:23:20 +0000

One could imagine IPsec options, but it sounds a bit obscure for MLD…

I guess if you assume that there’s only the RTR-alert option, it’s of fixed length and you could just use the offset. I have no idea if you can actually do iteration or indirection in textual pcap filters.

/* Steinar */

By: Chris

Chris — Thu, 10 Dec 2009 16:26:21 +0000

Agreed grep is the easiest implementation. Just makes it more difficult to save pcap files.

To quote RFC 2710: “All MLD messages described in this document are sent with a link-local IPv6 Source Address, an IPv6 Hop Limit of 1, and an IPv6 Router Alert option [RTR-ALERT] in a Hop-by-Hop Options header.”
So you do have an extension header to deal with. As for having to chase the headers, so far I’ve only seen multicast listener packets with the hop-by-hop header. Although I don’t see anything in 2710 forbidding the use of additional headers.

By: Steinar H. Gunderson

Steinar H. Gunderson — Wed, 09 Dec 2009 19:38:49 +0000

The pragmatic solution is, of course,

tcpdump -l -i any icmp6 | grep -E ‘\b160\b’

or similar.

The pcap-based solution depends on whether you want to support IPv6 extension headers or not. If not, you can simply use an offset from the IP header; if you want to support it, it starts getting more evil (look at tcpdump -d ip6 protochain 58 for a BPF example of chasing these headers!), but then again, icmp6 doesn’t really seem to support that either. Is there a solution that doesn’t involve writing your own BPF, and supports chasing the protocol chains?

/* Steinar */