Well its now Thursday so I figured its time to post the answers to last weekend’s challenge. 
First, why should you even care about IPv6 if you have not started deploying it? I felt much the same way till I found IPv6 being used as a covert communication channel within a client’s network. The data was then being pushed out to the Internet via Teredo. If you are not familiar with the technique, Scott Hogg has some excellent posts on the topic.
So even if you are not currently using IPv6, it pays to start cutting the cure on the technology as well as watching for it on your local network.
So to review, the challenge was:
Write a tcpdump or Windump filter that will capture all traffic with a source IPv6 address of 2001:db8::10 through 2001:db8::20.
There are a couple of caveats with writing this filter. The first few I covered in the last post. The final one, which I knew but never really thought was a problem till I started working with IPv6 pretty heavily, is that tcpdump/Windump will only let you use 1, 2 or 4 byte masks. So while we would love to solve this with an initial filter statement of “ip6[8:14]=”, we can’t because we’re limited to 4 bytes. There is in fact a way to get around this, but I’ll come back to it.
So here’s the filter I’ve been working with:
(ip6[8:4]=0x20010db8 and ip6[12:4]=0 and ip6[16:4]=0 and (ip6[20:4]>=0×0010 and ip6[20:4]<=0050))
Bit long, but it works. Elizabeth came up with a solution that is far more elegant than my own:
src net 2001:db8::/122 and ip6[23] >= 0×10 && ip6[23] <= 0×20
So by starting with the Libpcap format, she’s able to combine my first three statements into one. Not to be a size queen, but that makes her solution is much shorter than mine. In this case that’s a good thing. 
That’s about it. I’ll post another IPv6 type challenge tomorrow.
Related posts:
Chris,
chiming in late but following along with timtowtdi
how about…
‘src net 2001:db8::/122 and ((ip6[23] & 0xE0 == 0) or (ip6[23] == 0×20))’
Updating my reply due to lack of caffeine:
src net 2001:db8::/122
We’re masking on 122 bits. This specifies that bits 33 – 122 are equal to 0.
ip6[23] & 0xE0 == 0
This filter says bits 121 – 123 must be 0.
ip6[23] == 0×20
This filter says bit 123 must be 1.
So to just focus on the last byte, your statement says “bits 121 and 122 must be off and (bit 123 must be off or bit 123 must be on)”. This gets us close, but what if bit 124 is off? This could match the filter but still put us outside the specified range of addresses.
ok so to match the first nibble of the last byte. (I only want it to match 1 (which yields 16 – 31) will
ip6[23] & F0 == 1
do the trick ?
The filter:
ip[23]&F0==1
will look at the four high order bits and match on the *lowest* order bit being set. In other words, the specified value ( 1) would be perceived as decimal and is outside of the mask range. If you run the filter you will see that tcpdump gives you a syntax error.
Let’s look at this last byte in binary to see if that makes the problem any easier.
We are trying to match any binary value from:
00010000 – 00100000
The “src net” portion of the filter takes care of ensuring the two high order bits (64 & 128) are set to 0, so we don’t have to worry about them.
The rest of our filters needs to check to see:
1) Is bit 32 turned on, with all lower order bits turned off (exactly 00100000).
or…
2) Is bit 32 turned off, bit 16 turned on, ignoring any lower order bits ( value range is 00010000 – 00011111).
So the easiest way to filter on this is to include the greater than and less than primitives. What we want to say is:
00010000 < = VALUE <= 00100000
Now, convert this back to Hex and you get:
0x10 < = VALUE <= 0x20
In tcpdump speak, you write this expression as:
ip6[23] >= 0×10 && ip6[23] < = 0×20
or:
ip6[23] >= 0×10 and ip6[23] <= 0×20
Make a bit more sense?
Makes sense I just want to be difficult
I am trying to see if there is a way of accomplishing this using bit masking. Just realised my previous reply tried to match a nibble not the byte so here goes one last try
src net 2001:db8::/122 and ((ip6[23] & 0xF0 = 0×10) or (ip6[23] = 0×20))’
So
ip6[23] & 0xF0 = 0×10 (should match decimal 16 – 31) and then ip6[23] = 0×20 should match 32. Or is it time to throw in the towel ??