tcpdump read both ipv4 and ipv6 packets from pcap

linux networking ipv6 wireshark tcpdump
6,382

Perhaps it will help you:

tcpdump 'ip6[6]==17 or udp or (ip6[6]==6 and ip6[53]&8!=0) or tcp[13]&8!=0' -X -r some.pcap

In tcpdump you can't retrieve ipv6 packets the way you are trying, because it does not support (at least up to 4.9.2 version) BPF filters under ipv6.

So,

  • ip6[6]==17 means udp over ipv6 (the 6th byte is the ipv6-header protocol field), ip6[6]==6 means tcp over ipv6 respectively;

  • ip6[53]&8!=0 means tcp-push over ipv6 (40 bytes of ipv6-header and 13th byte of tcp-header, which is tcp-flags);

  • tcp[13]&8!=0 is the same as your tcp[tcpflags] & tcp-push != 0.

More info: ipv6 tcpip pocketguide and here.

Keep in mind (!): Using ip6[6] to identify the protocol fails if any extension headers are present (as pointed by kasperd). More about ipv6 extension headers here. Hence such way tcp-packets over ipv6 with extension headers will not be captured.

Also, you can write your own simple filter for specific (e.g. to get the last character of payload) purposes like:

perl -le 'print map { /(?:Flags \[P\.\]|UDP).*(\S)$/s } split /\d{2}:\d{2}:\d{2}\.\d{6}/, `tcpdump -X -r some.pcap 2>/dev/null`'
Share:
6,382
z0lupka
Author by

z0lupka

Updated on September 18, 2022

Comments

  • z0lupka
    z0lupka over 1 year

    I'm trying to gain some info from payload of TCP and UDP. The filter

    (tcp.stream && tcp.flags.push == 1) || udp.stream

    in Wireshark gives me both IPv4 and IPv6 packets.

    But I can't figure out how to do that through the tcpdump. I tried:

    tcpdump -X 'tcp[tcpflags] & tcp-push != 0 or udp' -r some.pcap

    But there are only IPv4 packets. Something like

    tcpdump -X '((tcp[tcpflags] & tcp-push != 0) or udp) and (ip or ip6)' -r some.pcap

    also displays only IPv4 packets. Any examples would be helpful.

    • kasperd
      kasperd over 5 years
      I think that is a bug in tcpdump.
  • kasperd
    kasperd over 5 years
    Using ip6[6] to identify the protocol fails if any extension headers are present. ip6[53]&8!=0 can still match packets that aren't TCP.
  • red0ct
    red0ct over 5 years
    @kasperd Thanks, fixed. About extensions: it wasn't stated that this way is versatile, however, it can be useful. So you are welcome to give a more versatile usage examples of tcpdump with ipv6. I'll be happy to use it :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Using tcpdump to find strings
How to use Linux to capture packets on eth0 and send everything to eth1?
What program sent which packet to the network
How to trace networking activity of a command?
What does a sequence of retransmissions with PSH,ACK flags mean (and a spurious retransmission back)?
TCP Server sends [ACK] followed by [PSH,ACK]
Is net.ipv6.conf.all.forwarding=1 equivalent to enabling forwarding for all individual interfaces?
How can I switch off IPv6 ND RA transmissions in Linux?
tcpdump error: no suitable device found in Linux
Capture only TCP SYN-ACK packets with tcpdump