I have a pcap file captured with tcpdump:
tcpdump -w out.pcap -ni eno1 host 192.88.99.1
I can view the pcap:
rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt | head
reading from file andy.tcpd, link-type EN10MB (Ethernet)
2023-04-11 11:54:52.046310 IP 130.216.15.171 > 192.88.99.1: IP6 2002:82d8:fab::82d8:fab > 2002:c058:6301::c058:6301: ICMP6, echo request, seq 43217, length 8
2023-04-11 11:54:52.164305 IP 192.88.99.1 > 130.216.15.171: IP6 2002:c058:6301::1 > 2002:82d8:fab::82d8:fab: ICMP6, time exceeded in-transit for 2002:c058:6301::c058:6301, length 56
2023-04-11 11:54:52.165665 IP 130.216.15.171 > 192.88.99.1: IP6 2002:82d8:fab::82d8:fab > 2002:c058:6301::c058:6301: ICMP6, echo request, seq 43218, length 8rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt ip6 net 2002::/16 | head
reading from file andy.tcpd, link-type EN10MB (Ethernet)
rful011@secmonprd13:~$TCP and this filtered out all 6to4 traffic. Removing the TCP filter and Arkime logged the 6to4 traffic.
This issue seems to be with the libpcap? on my Ubuntu boxes *and* I get the same behaviour on my Mac!
I can see why filtering on any protocol would filter out 6to4 so how I can construct a bpf filter that will capture the 6to4 traffic while allowing me to filter other traffic normally.
Asked by Russell Fulton
(231 rep)
Apr 11, 2023, 07:53 PM
Last activity: Apr 11, 2023, 08:15 PM
Last activity: Apr 11, 2023, 08:15 PM