Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2287
Views
0
Helpful
1
Replies

Packet header IPv6 version field offset

fsebera
Level 4
Level 4

‎02-16-2012 01:00 PM - edited ‎03-01-2019 05:32 PM

I am trying to utilize NBAR protocol-discovery to determine what application are active on a lan segment to include IPv4/IPv6 traffic.

My router does not support NBAR for IPv6. Upgrading is not an option yet.  NBAR allows for custom filters so I want to create a filter to look into the packet headers and seek out the IPv6 version field.

:

The configuration option calls for "Enter BTYE Location of value to be searched on payload" which I am assuming means the offset from the beginning of the packet.

:

Anyone know this value?

:

:

Here is the router output for this setup.

R# ip nbar custom IPV6 ?

<0-255>       Enter BTYE Location of value to be searched on payload

destination   Destination Flow

source        Source Flow

tcp           TCP ports

udp           UDP ports

THANKS

Frank

Labels:
0 Helpful
1 Reply 1

fsebera
Level 4
Level 4

‎02-16-2012 06:51 PM

Layer-2 Ethernet frame: (Ethernet II)

Ethernet 802.3 SNAP has a different format.

  • preamble (56 bits)

  • start frame delimiter (8 bits)

Start counting at dst MAC address

  • dst MAC addr 6B (48 bits)

  • src MAC addr 6B (48 bits)

  • Eth type 2B (16 bits) The EtherType field is set to 0x86DD for IPv6 packets.
  • TAG 2B (16 bits)

  • TYPE 2B (16 bits)

TOTAL BYTES = 18B (144 bits)


Layer-3 packet (IPv4 and IPv6) both begin with the version field so perhaps the offset is between 145 - 148.:

:

Version field is 4 bits in length:

:

19 20 21 22 -- 1/2 Byte

145 146 147 148 -- bits

0 1 2 4 = Version Field

0 0 0 1 = 4 (ipv4)

0 0 1 1 = 6 (ipv6)

:

TESTing . . . more later

:

:

:

:

:

Ok, more testing has been performed.

Looks like this will not work as hoped.

R# ip nbar custom IPV6 13 hex 86dd source tcp range 1025 65535

ERROR, Range is too large

R# ip nbar custom IPV6 13 hex 86dd source tcp range 1 1000

NBAR ERROR: Specified port(s) are associated with ftp

R# ip nbar custom IPV6 13 hex 86dd source tcp range 24 1000

NBAR ERROR: Specified port(s) are associated with http

:

:

:

:

Other options:

R# ip nbar custom IPV6 13 hex 86dd ?

destination Destination Flow

source Source Flow

tcp TCP ports

udp UDP ports

And the next required varible [for all options] is range values.

................. more research needed.............

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents