Ask Your Question
0

BPF Byte filter for VLAN-IPv6-UDP stack

asked 2022-04-07 11:44:19 +0000

updated 2022-04-07 11:52:52 +0000

Hi Guys,

I'm struggling with BPF filter to match 2 Bytes inside UDP payload for the next stack: Ethernet-VLAN-IPv6-UDP.

So I make the next expression:

vlan and udp[8:2] = 0x1111    (1)

For some reason it does not work, no packet is matched. I make a step back and delete Byte matching part:

vlan and udp    (2)

This one works correctly matching all UDP inside IPv6.

I then try the first one (with Byte offset), but on Ethernet-VLAN-IPv4-UDP - and it works again.

So I checked compiled BPF and I see:

  • For vlan and udp:

image description

There is a check for v4 and v6.

  • For vlan and udp[8:2] = 0x1111

image description

There is no more check for v6.

Am I missing something? I'd like to avoid going down the stack and making Ethernet Byte filter with big offsets.

A good file to play with is in Johannes Weber blog:

https://weberblog.net/ipv6-upper-laye...

Thanks,

Vlad

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-04-07 14:10:55 +0000

Chuckc gravatar image

updated 2022-04-07 14:22:21 +0000

pcap-filter.7:

To access data inside the packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, sctp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) 

Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future)

It's been acknowledged but I don't see an open issue tracking it.

expression rejects all packets for IPv6 upper-layer protocol #600
"Closing as resolved (not a bug, but an improvement that remains to be made)."

Better IPv6 support for higher level protocols #864
"Let's close this as a duplicate of #600, which stands for the same problem and was opened much earlier."

edit flag offensive delete link more

Comments

Ah, I see now, thanks Chuck!

Packet_vlad gravatar imagePacket_vlad ( 2022-04-07 14:20:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-04-07 11:44:19 +0000

Seen: 71 times

Last updated: Apr 07