regarding ipv6

Carter Bullard carter at qosient.com
Wed May 21 18:06:35 EDT 2014 

Oh, and if you supply an ipv6 address in a filter,
you’ll find that we realize we’re working with ipv6
and do the right thing.

So first this first example passes an ipv6 address.
We’ll grab the flow DSR (dsr[1]) and grab the second
byte in the header and try to find out if its ipv6
(0x02).  Then we build a big ole 128 bit ipv6 address
to match.

thoth:~ carter$ ra -b - src host 1::16
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x2             jt 3	jf 11
(003) ld       dsr[1][16]
(004) jeq      #0x16000000      jt 5	jf 15
(005) ld       dsr[1][12]
(006) jeq      #0x0             jt 7	jf 15
(007) ld       dsr[1][8]
(008) jeq      #0x0             jt 9	jf 15
(009) ld       dsr[1][4]
(010) jeq      #0x100           jt 14	jf 15
(011) jeq      #0x4             jt 12	jf 15
(012) ld       dsr[1][12]
(013) jeq      #0x100           jt 14	jf 15
(014) ret      #150
(015) ret      #0


Here 0x01 is the bit indicator for ipv4, and, we load
up the address.  In this case we’re looking for the
address in arp and in standard ip flows.

thoth:~ carter$ ra -b - src host 1.2.3.4
(000) ldb      dsr[1][2]
(001) and      #31
(002) jeq      #0x1             jt 3	jf 5
(003) ld       dsr[1][4]
(004) jeq      #0x1020304       jt 8	jf 9
(005) jeq      #0x4             jt 6	jf 9
(006) ld       dsr[1][12]
(007) jeq      #0x1020304       jt 8	jf 9
(008) ret      #150
(009) ret      #0




On May 21, 2014, at 5:58 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey James,
> We don’t make a big distinction between ipv4 and ipv6.
> you can always filter on ipv6 by using the filter “ ipv6 “.
> 
>   ra -S localhost - ipv6
> 
> Aggregation works well, longest prefix match works and CIDR
> works, but they are literal operators, so if you do saddr/64
> on an IPv6 address, it should do the right thing, not sure
> it would be what you wanted …
> 
> There is a distinction between ‘icmp’ and ‘icmp-v6’ as filters,
> so a filter like " icmp and ipv6 “ would return nada, as there
> won’t be any matches.
> 
> Carter
> 
> On May 21, 2014, at 3:25 PM, James Grace <jgrac002 at fiu.edu> wrote:
> 
>> Hi, 
>> 
>> I have argus purring along smoothly and was wondering if there were filters built in or methods others are using to report on ipv6 traffic solely. I don't see anything in the man pages and the gmane search function is busted so I'm unable to look around on the list archives. 
>> 
>> Cheers,
>> -james
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140521/9b21db1a/attachment.sig>

More information about the argus mailing list