[Bro] giving IPv6 capture filter support

Julien Desfossez ju at klipix.org
Tue Apr 3 04:55:48 PDT 2007


Hello,

You can use the following syntax to add IPv6 support :

redef capture_filters += {
    ["ipv6"] = "ip6"
};

With that filter, Bro will capture all IPv6 traffic.

Sessions.cc recognises TCP and UDP over IPv6 if there is no extension 
header.
ICMPv6 has a different protocol number than ICMP (v4).
So you must replace the

if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP && proto != 
IPPROTO_ICMP ) {...}

in DoNextPacket by :

if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP && proto != 
IPPROTO_ICMP  && proto != IPPROTO_ICMPV6) {...}

So your packet won't be dumped.

With that, you'll see in your Weird logs something like "unknow protocol 
58" when you ping6 for example.

Because the "switch (proto) {}" doesn't look for IPPROTO_ICMPV6.

HTH,

Julien Desfossez



Bindiya V S a écrit :
> Hello all,
> I want BRO to detect IPv6 packets. I tried giving capture 
> filter as 
> redef capture_filters = { ["tcp"]= "tcp", ["udp"] = "udp", 
> ["icmp"] = "icmp", ["ipv6"] = "ether proto 0x86dd"};
>
> BRO is not complaining, but the packets are not even 
> recognised at Sesssions.cc NextPacket.
>
> Thank you
> Bindiya
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>   




More information about the Bro mailing list