Displaying / filtering IPv6 ICMP types and codes

Carter Bullard carter at qosient.com
Wed Aug 5 15:20:37 EDT 2015


Hey Brad,
Argus puts the types in the sport and the codes in the dport.
You can print them out in decimal, or hex or whatever you like using the format options,
so you should be able to get the types and codes however you like.

   ra -S argusSource -s stime dur saddr daddr proto:8 sport::%d dport::0x%x - proto ipv6-icmp

This should print the types and codes for ipv6. types in decimal, codes in hex.
There maybe a bug for the codes, but its working for all the Neighbor Solicitation
ipv6-icmp messages I see. (type 135, code 0)

% ra -S localhost -s stime dur saddr daddr proto sport::%d dport::0x%x
2015/08/05.15:18:46.736608   0.000099 fe80::223:32ff:fe* fe80::6a5b:35ff:f* ipv6-* 135

Carter


> On Aug 5, 2015, at 1:42 PM, Brad <brad at vt.edu> wrote:
> 
> Carter,
> 
> Are the Types and Codes combined in the variables sport and dport to produce one number in the output? The variables sport and dport look like uint16 types if I'm reading the source correctly? Would it be as simple as splitting that one number into two (the underlying Type and Code)? Adding human meaningful ways to get at that would be the harder problem I think (what you and Ken are discussing, but I was wondering if I could just take the current output and split sport and dport into the underlying Type and Code as a quick work-around.
> 
> Thanks,
> 
> Brad

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20150805/e2a2af6a/attachment.bin>


More information about the argus mailing list