ipv6 and "net" filter
carter at qosient.com
carter at qosient.com
Wed Dec 8 18:16:46 EST 2010
Hey Chris,
We've had v6 support for a long time, but that doesn't mean there aren't problems.
If you run ra() with the -b option, it will print the compiler output, so you can see how the comparison is done. It seems that with the CIDR notation we make comparisons as if it was an IPv4 address, fetching 4 bytes and masking/comparing, which is not right.
I'll take a look tonight when I get a chance to look at the code.
Carter
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Chris Wakelin <c.d.wakelin at reading.ac.uk>
Sender: argus-info-bounces+carter=qosient.com at lists.andrew.cmu.edu
Date: Wed, 08 Dec 2010 16:38:16
To: <argus-info at lists.andrew.cmu.edu>
Subject: [ARGUS] ipv6 and "net" filter
Hi,
I've been using Argus pretty successfully for the last couple of weeks
(using PF_RING-enabled libpcap) for a mixed ipv4/ipv6 network. It's
proving very useful!
I've spotted what seems to be a bug in the ipv6 netmask handling in at
least Argus clients 3.0.3.19 and 3.0.3.20 (the Argus server is
3.0.3.19). It seems to work if the number of masked bits is a multiple
of 32, but not for in-between values.
E.g.
ipv6 and net 2001:630:53::/48 doesn't match (should match exactly our
network)
ipv6 and net 2001:630:53::/32 does match (but matches 2001:630:1: etc.
as well)
ipv6 and net 2001:630:53::/33 doesn't match
ipv6 and net 2001:630:53:18::/64 does match (one of our subnets)
and, of course,
ipv6 and host 2001:630:53:fa::99 does match (my PC)
Am I missing something?
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the argus
mailing list