[Bro] giving IPv6 capture filter support
Julien Desfossez
ju at klipix.org
Tue Apr 3 04:55:48 PDT 2007
Hello,
You can use the following syntax to add IPv6 support :
redef capture_filters += {
["ipv6"] = "ip6"
};
With that filter, Bro will capture all IPv6 traffic.
Sessions.cc recognises TCP and UDP over IPv6 if there is no extension
header.
ICMPv6 has a different protocol number than ICMP (v4).
So you must replace the
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP && proto !=
IPPROTO_ICMP ) {...}
in DoNextPacket by :
if ( proto != IPPROTO_TCP && proto != IPPROTO_UDP && proto !=
IPPROTO_ICMP && proto != IPPROTO_ICMPV6) {...}
So your packet won't be dumped.
With that, you'll see in your Weird logs something like "unknow protocol
58" when you ping6 for example.
Because the "switch (proto) {}" doesn't look for IPPROTO_ICMPV6.
HTH,
Julien Desfossez
Bindiya V S a écrit :
> Hello all,
> I want BRO to detect IPv6 packets. I tried giving capture
> filter as
> redef capture_filters = { ["tcp"]= "tcp", ["udp"] = "udp",
> ["icmp"] = "icmp", ["ipv6"] = "ether proto 0x86dd"};
>
> BRO is not complaining, but the packets are not even
> recognised at Sesssions.cc NextPacket.
>
> Thank you
> Bindiya
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list