[ipv6hackers] Question on tools use to monitor fragmented packet attacks

Owen DeLong owend at he.net
Mon Apr 15 06:34:18 CEST 2013


On Apr 13, 2013, at 18:07 , Fernando Gont <fgont at si6networks.com> wrote:

> On 04/13/2013 05:44 PM, Owen DeLong wrote:
>> I've found tcpdump to be a much easier and more versatile tool for this purpose as well.
>> 
>> TCPdump's cleverness is usually a bit less "overly-clever" than wireshark and it seems to do a better job of noticing what is wrong and flagging it.
> 
> +1
> 
> Although there's stuf that it catches.. and, more importantly, it lags
> behind wireshark when it comes to support of some IPv6/ND options (e.g.,
> last time I checked it didn't support RDNSS).
> 

Stock tcpdump on Mac OS X 10.8.2:

delong-dhcp227:~ root# tcpdump -n -i en0 -s 1500 -vvv -X icmp6 and 'ip6[40] = 134'
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes
21:31:23.542222 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 80) fe80::20c:42ff:fe9b:4af6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 80
	hop limit 0, Flags [none], pref medium, router lifetime 3600s, reachable time 0s, retrans time 0s
	  source link-address option (1), length 8 (1): 00:0c:42:9b:4a:f6
	    0x0000:  000c 429b 4af6
	  rdnss option (25), length 24 (3):  lifetime 900s, addr: 2620:0:930::200:2
	    0x0000:  0000 0000 0384 2620 0000 0930 0000 0000
	    0x0010:  0000 0200 0002
	  prefix info option (3), length 32 (4): 2620:0:930::/64, Flags [onlink, auto], valid time 86400s, pref. time 3600s
	    0x0000:  40c0 0001 5180 0000 0e10 0000 0000 2620
	    0x0010:  0000 0930 0000 0000 0000 0000 0000
	0x0000:  6c00 0000 0050 3aff fe80 0000 0000 0000  l....P:.........
	0x0010:  020c 42ff fe9b 4af6 ff02 0000 0000 0000  ..B...J.........
	0x0020:  0000 0000 0000 0001 8600 3025 0000 0e10  ..........0%....
	0x0030:  0000 0000 0000 0000 0101 000c 429b 4af6  ............B.J.
	0x0040:  1903 0000 0000 0384 2620 0000 0930 0000  ........&....0..
	0x0050:  0000 0000 0200 0002 0304 40c0 0001 5180  .......... at ...Q.
	0x0060:  0000 0e10 0000 0000 2620 0000 0930 0000  ........&....0..
	0x0070:  0000 0000 0000 0000                      ........


Would seem to indicate that it understands RDNSS just fine.

Owen




More information about the Ipv6hackers mailing list