I have a pcap file captured with tcpdump: tcpdump -w out.pcap -ni eno1 host 192.88.99.1
I can view the pcap:
rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt | head reading from file andy.tcpd, link-type EN10MB (Ethernet) 2023-04-11 11:54:52.046310 IP 130.216.15.171 > 192.88.99.1: IP6 2002:82d8:fab::82d8:fab > 2002:c058:6301::c058:6301: ICMP6, echo request, seq 43217, length 8 2023-04-11 11:54:52.164305 IP 192.88.99.1 > 130.216.15.171: IP6 2002:c058:6301::1 > 2002:82d8:fab::82d8:fab: ICMP6, time exceeded in-transit for 2002:c058:6301::c058:6301, length 56 2023-04-11 11:54:52.165665 IP 130.216.15.171 > 192.88.99.1: IP6 2002:82d8:fab::82d8:fab > 2002:c058:6301::c058:6301: ICMP6, echo request, seq 43218, length 8 but any attempt to filter results in no output:
rful011@secmonprd13:~$ tcpdump -nr out.pcap -tttt ip6 net 2002::/16 | head reading from file andy.tcpd, link-type EN10MB (Ethernet) rful011@secmonprd13:~$ I came across while investigating why I was not seeing the 6to4 traffic in Arkime -- in that case I had a bpf filter selecting TCP and this filtered out all 6to4 traffic. Removing the TCP filter and Arkime logged the 6to4 traffic.
This issue seems to be with the libpcap? on my Ubuntu boxes and I get the same behaviour on my Mac!
I can see why filtering on any protocol would filter out 6to4 so how I can construct a bpf filter that will capture the 6to4 traffic while allowing me to filter other traffic normally.
