Layer-2 Ethernet frame: (Ethernet II)
Ethernet 802.3 SNAP has a different format.
- preamble (56 bits)
- start frame delimiter (8 bits)
Start counting at dst MAC address
- dst MAC addr 6B (48 bits)
- src MAC addr 6B (48 bits)
- Eth type 2B (16 bits) The EtherType field is set to 0x86DD for IPv6 packets.
- TAG 2B (16 bits)
- TYPE 2B (16 bits)
TOTAL BYTES = 18B (144 bits)
Layer-3 packet (IPv4 and IPv6) both begin with the version field so perhaps the offset is between 145 - 148.:
:
Version field is 4 bits in length:
:
19 20 21 22 -- 1/2 Byte
145 146 147 148 -- bits
0 1 2 4 = Version Field
0 0 0 1 = 4 (ipv4)
0 0 1 1 = 6 (ipv6)
:
TESTing . . . more later
:
:
:
:
:
Ok, more testing has been performed.
Looks like this will not work as hoped.
R# ip nbar custom IPV6 13 hex 86dd source tcp range 1025 65535
ERROR, Range is too large
R# ip nbar custom IPV6 13 hex 86dd source tcp range 1 1000
NBAR ERROR: Specified port(s) are associated with ftp
R# ip nbar custom IPV6 13 hex 86dd source tcp range 24 1000
NBAR ERROR: Specified port(s) are associated with http
:
:
:
:
Other options:
R# ip nbar custom IPV6 13 hex 86dd ?
destination Destination Flow
source Source Flow
tcp TCP ports
udp UDP ports
And the next required varible [for all options] is range values.
................. more research needed.............