BPF Byte filter for VLAN-IPv6-UDP stack

asked 2022-04-07 11:44:19 +0000

Packet_vlad

1055 ●5 ●75 ●32 http://packettrain.net

updated 2022-04-07 11:52:52 +0000

Hi Guys,

I'm struggling with BPF filter to match 2 Bytes inside UDP payload for the next stack: Ethernet-VLAN-IPv6-UDP.

So I make the next expression:

vlan and udp[8:2] = 0x1111    (1)

For some reason it does not work, no packet is matched. I make a step back and delete Byte matching part:

vlan and udp    (2)

This one works correctly matching all UDP inside IPv6.

I then try the first one (with Byte offset), but on Ethernet-VLAN-IPv4-UDP - and it works again.

So I checked compiled BPF and I see:

For vlan and udp:

image description

There is a check for v4 and v6.

For vlan and udp[8:2] = 0x1111

image description

There is no more check for v6.

Am I missing something? I'd like to avoid going down the stack and making Ethernet Byte filter with big offsets.

A good file to play with is in Johannes Weber blog:

https://weberblog.net/ipv6-upper-laye...

Thanks,

Vlad

edit retag flag offensive close merge delete

add a comment

To access data inside the packet, use the following syntax: proto [ expr : size ] Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, sctp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.)

Comments

Ah, I see now, thanks Chuck!

Packet_vlad ( 2022-04-07 14:20:53 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

BPF Byte filter for VLAN-IPv6-UDP stack

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

BPF Byte filter for VLAN-IPv6-UDP stack edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

BPF Byte filter for VLAN-IPv6-UDP stack