[ipv6hackers] Question on tools use to monitor fragmented packet attacks
Owen DeLong
owend at he.net
Mon Apr 15 06:34:18 CEST 2013
On Apr 13, 2013, at 18:07 , Fernando Gont <fgont at si6networks.com> wrote:
> On 04/13/2013 05:44 PM, Owen DeLong wrote:
>> I've found tcpdump to be a much easier and more versatile tool for this purpose as well.
>>
>> TCPdump's cleverness is usually a bit less "overly-clever" than wireshark and it seems to do a better job of noticing what is wrong and flagging it.
>
> +1
>
> Although there's stuf that it catches.. and, more importantly, it lags
> behind wireshark when it comes to support of some IPv6/ND options (e.g.,
> last time I checked it didn't support RDNSS).
>
Stock tcpdump on Mac OS X 10.8.2:
delong-dhcp227:~ root# tcpdump -n -i en0 -s 1500 -vvv -X icmp6 and 'ip6[40] = 134'
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 1500 bytes
21:31:23.542222 IP6 (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 80) fe80::20c:42ff:fe9b:4af6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 80
hop limit 0, Flags [none], pref medium, router lifetime 3600s, reachable time 0s, retrans time 0s
source link-address option (1), length 8 (1): 00:0c:42:9b:4a:f6
0x0000: 000c 429b 4af6
rdnss option (25), length 24 (3): lifetime 900s, addr: 2620:0:930::200:2
0x0000: 0000 0000 0384 2620 0000 0930 0000 0000
0x0010: 0000 0200 0002
prefix info option (3), length 32 (4): 2620:0:930::/64, Flags [onlink, auto], valid time 86400s, pref. time 3600s
0x0000: 40c0 0001 5180 0000 0e10 0000 0000 2620
0x0010: 0000 0930 0000 0000 0000 0000 0000
0x0000: 6c00 0000 0050 3aff fe80 0000 0000 0000 l....P:.........
0x0010: 020c 42ff fe9b 4af6 ff02 0000 0000 0000 ..B...J.........
0x0020: 0000 0000 0000 0001 8600 3025 0000 0e10 ..........0%....
0x0030: 0000 0000 0000 0000 0101 000c 429b 4af6 ............B.J.
0x0040: 1903 0000 0000 0384 2620 0000 0930 0000 ........&....0..
0x0050: 0000 0000 0200 0002 0304 40c0 0001 5180 .......... at ...Q.
0x0060: 0000 0e10 0000 0000 2620 0000 0930 0000 ........&....0..
0x0070: 0000 0000 0000 0000 ........
Would seem to indicate that it understands RDNSS just fine.
Owen
More information about the Ipv6hackers
mailing list