Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

IPV6 informaton

 

 

NTop misc RSS feed   Index | Next | Previous | View Threaded


frwaonto at gmail

Jul 10, 2012, 11:47 PM

Post #1 of 10 (1600 views)
Permalink
IPV6 informaton

Dear All,
We are using pfcount codes as our base. We would like to
capture IPV6 information so we I guess it will all come under here
rite if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed
to capture things like source ip intoa(ntohl(ip->ip_src.s_addr)),
destinaton ip intoa(ntohl(ip->ip_dst.s_addr)), source mac
h->extended_hdr.parsed_pkt.smac, destination
mac h->extended_hdr.parsed_pkt.dmac ,source
port h->extended_hdr.parsed_pkt.l4_src_port and destination port
h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information
can we use this same method or it will be totally different? Thank you.


cardigliano at ntop

Jul 11, 2012, 2:54 AM

Post #2 of 10 (1558 views)
Permalink
Re: IPV6 informaton [In reply to]

Frwa
please have a look at PF_RING/userland/examples/pfcount.c:395

Regards
Alfredo

On Jul 11, 2012, at 8:47 AM, frwa onto wrote:

> Dear All,
> We are using pfcount codes as our base. We would like to capture IPV6 information so we I guess it will all come under here rite if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton ip intoa(ntohl(ip->ip_dst.s_addr)), source mac h->extended_hdr.parsed_pkt.smac, destination mac h->extended_hdr.parsed_pkt.dmac ,source port h->extended_hdr.parsed_pkt.l4_src_port and destination port h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information can we use this same method or it will be totally different? Thank you.
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


frwaonto at gmail

Jul 11, 2012, 7:53 AM

Post #3 of 10 (1555 views)
Permalink
Re: IPV6 informaton [In reply to]

Dear Alfredo,
Ok I could get the mac properly but the ip is
showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all
this values so what are equivalent for ipv6.

h->extended_hdr.parsed_header_len
h->extended_hdr.parsed_pkt.ipv4_tos
h->extended_hdr.parsed_pkt.l4_src_port
h->extended_hdr.parsed_pkt.l4_dst_port
h->len
h->extended_hdr.parsed_pkt.tcp.flags,
proto2str(ip->ip_p)
h->extended_hdr.parsed_pkt.tcp.ack_num
h->extended_hdr.parsed_pkt.tcp.seq_num
h->extended_hdr.pkt_hash

Regards,
Frwa.

On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

> Frwa
> please have a look at PF_RING/userland/examples/pfcount.c:395
>
> Regards
> Alfredo
>
> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>
> > Dear All,
> > We are using pfcount codes as our base. We would like to
> capture IPV6 information so we I guess it will all come under here rite
> if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to
> capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton
> ip intoa(ntohl(ip->ip_dst.s_addr)), source mac
> h->extended_hdr.parsed_pkt.smac, destination mac
> h->extended_hdr.parsed_pkt.dmac ,source port
> h->extended_hdr.parsed_pkt.l4_src_port and destination port
> h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information
> can we use this same method or it will be totally different? Thank you.
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>


cardigliano at ntop

Jul 11, 2012, 8:11 AM

Post #4 of 10 (1561 views)
Permalink
Re: IPV6 informaton [In reply to]

Frwa
it is working for me, please update from SVN and check with:
./pfcount -i eth0-v -m
If it is still not working please tell us how to reproduce it (card model, drivers version, a .pcap)

Regards
Alfredo

On Jul 11, 2012, at 4:53 PM, frwa onto wrote:

> Dear Alfredo,
> Ok I could get the mac properly but the ip is showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all this values so what are equivalent for ipv6.
>
> h->extended_hdr.parsed_header_len
> h->extended_hdr.parsed_pkt.ipv4_tos
> h->extended_hdr.parsed_pkt.l4_src_port
> h->extended_hdr.parsed_pkt.l4_dst_port
> h->len
> h->extended_hdr.parsed_pkt.tcp.flags,
> proto2str(ip->ip_p)
> h->extended_hdr.parsed_pkt.tcp.ack_num
> h->extended_hdr.parsed_pkt.tcp.seq_num
> h->extended_hdr.pkt_hash
>
> Regards,
> Frwa.
>
> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
> Frwa
> please have a look at PF_RING/userland/examples/pfcount.c:395
>
> Regards
> Alfredo
>
> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>
> > Dear All,
> > We are using pfcount codes as our base. We would like to capture IPV6 information so we I guess it will all come under here rite if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton ip intoa(ntohl(ip->ip_dst.s_addr)), source mac h->extended_hdr.parsed_pkt.smac, destination mac h->extended_hdr.parsed_pkt.dmac ,source port h->extended_hdr.parsed_pkt.l4_src_port and destination port h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information can we use this same method or it will be totally different? Thank you.
> > _______________________________________________
> > Ntop-misc mailing list
> > Ntop-misc [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


frwaonto at gmail

Jul 11, 2012, 8:29 AM

Post #5 of 10 (1557 views)
Permalink
Re: IPV6 informaton [In reply to]

Dear Alfredo,
I tried and got this ./pfcount -i eth0-v -m
pfring_open error [Invalid argument] (pf_ring not loaded or perhaps you use
quick mode and have already a socket bound to eth0-v ?) but I could run
./pfcount by itself and ./pfcount -i and ./pfcount -m. So what could be
wrong here? How about the extra information I asked just now should is
there anything extra? Thank you.

Regards,
Frwa.

On Wed, Jul 11, 2012 at 11:11 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

> Frwa
> it is working for me, please update from SVN and check with:
> ./pfcount -i eth0-v -m
> If it is still not working please tell us how to reproduce it (card model,
> drivers version, a .pcap)
>
> Regards
> Alfredo
>
> On Jul 11, 2012, at 4:53 PM, frwa onto wrote:
>
> Dear Alfredo,
> Ok I could get the mac properly but the ip is
> showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all
> this values so what are equivalent for ipv6.
>
> h->extended_hdr.parsed_header_len
> h->extended_hdr.parsed_pkt.ipv4_tos
> h->extended_hdr.parsed_pkt.l4_src_port
> h->extended_hdr.parsed_pkt.l4_dst_port
> h->len
> h->extended_hdr.parsed_pkt.tcp.flags,
> proto2str(ip->ip_p)
> h->extended_hdr.parsed_pkt.tcp.ack_num
> h->extended_hdr.parsed_pkt.tcp.seq_num
> h->extended_hdr.pkt_hash
>
> Regards,
> Frwa.
>
> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <cardigliano [at] ntop
> > wrote:
>
>> Frwa
>> please have a look at PF_RING/userland/examples/pfcount.c:395
>>
>> Regards
>> Alfredo
>>
>> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>>
>> > Dear All,
>> > We are using pfcount codes as our base. We would like to
>> capture IPV6 information so we I guess it will all come under here rite
>> if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to
>> capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton
>> ip intoa(ntohl(ip->ip_dst.s_addr)), source mac
>> h->extended_hdr.parsed_pkt.smac, destination mac
>> h->extended_hdr.parsed_pkt.dmac ,source port
>> h->extended_hdr.parsed_pkt.l4_src_port and destination port
>> h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information
>> can we use this same method or it will be totally different? Thank you.
>> > _______________________________________________
>> > Ntop-misc mailing list
>> > Ntop-misc [at] listgateway
>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>


cardigliano at ntop

Jul 12, 2012, 1:43 AM

Post #6 of 10 (1558 views)
Permalink
Re: IPV6 informaton [In reply to]

Frwa
sorry:
./pfcount -i eth0 -v -m
(with a whitespace, eth0 is the interface name, put your)

Alfredo

On Jul 11, 2012, at 5:29 PM, frwa onto wrote:

> Dear Alfredo,
> I tried and got this ./pfcount -i eth0-v -m
> pfring_open error [Invalid argument] (pf_ring not loaded or perhaps you use quick mode and have already a socket bound to eth0-v ?) but I could run ./pfcount by itself and ./pfcount -i and ./pfcount -m. So what could be wrong here? How about the extra information I asked just now should is there anything extra? Thank you.
>
> Regards,
> Frwa.
>
> On Wed, Jul 11, 2012 at 11:11 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
> Frwa
> it is working for me, please update from SVN and check with:
> ./pfcount -i eth0-v -m
> If it is still not working please tell us how to reproduce it (card model, drivers version, a .pcap)
>
> Regards
> Alfredo
>
> On Jul 11, 2012, at 4:53 PM, frwa onto wrote:
>
>> Dear Alfredo,
>> Ok I could get the mac properly but the ip is showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all this values so what are equivalent for ipv6.
>>
>> h->extended_hdr.parsed_header_len
>> h->extended_hdr.parsed_pkt.ipv4_tos
>> h->extended_hdr.parsed_pkt.l4_src_port
>> h->extended_hdr.parsed_pkt.l4_dst_port
>> h->len
>> h->extended_hdr.parsed_pkt.tcp.flags,
>> proto2str(ip->ip_p)
>> h->extended_hdr.parsed_pkt.tcp.ack_num
>> h->extended_hdr.parsed_pkt.tcp.seq_num
>> h->extended_hdr.pkt_hash
>>
>> Regards,
>> Frwa.
>>
>> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>> Frwa
>> please have a look at PF_RING/userland/examples/pfcount.c:395
>>
>> Regards
>> Alfredo
>>
>> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>>
>> > Dear All,
>> > We are using pfcount codes as our base. We would like to capture IPV6 information so we I guess it will all come under here rite if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton ip intoa(ntohl(ip->ip_dst.s_addr)), source mac h->extended_hdr.parsed_pkt.smac, destination mac h->extended_hdr.parsed_pkt.dmac ,source port h->extended_hdr.parsed_pkt.l4_src_port and destination port h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information can we use this same method or it will be totally different? Thank you.
>> > _______________________________________________
>> > Ntop-misc mailing list
>> > Ntop-misc [at] listgateway
>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


frwaonto at gmail

Jul 12, 2012, 1:59 AM

Post #7 of 10 (1552 views)
Permalink
Re: IPV6 informaton [In reply to]

Dear Alfredo,
No problem. Beside that I notice IPV6 have
eliminated quite a number of the header elements in comparison to IPV4. I
notice tos,header length, packet length , flags, protocol, ackNum, sequence
number and header cs are not there right. But when I do
this h->len,proto2str(ip->ip_p) and h->extended_hdr.pkt_hash) still give me
some values are those valid or not?

Regards,
Frwa.

On Thu, Jul 12, 2012 at 4:43 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

> Frwa
> sorry:
> ./pfcount -i eth0 -v -m
> (with a whitespace, eth0 is the interface name, put your)
>
> Alfredo
>
> On Jul 11, 2012, at 5:29 PM, frwa onto wrote:
>
> Dear Alfredo,
> I tried and got this ./pfcount -i eth0-v -m
> pfring_open error [Invalid argument] (pf_ring not loaded or perhaps you
> use quick mode and have already a socket bound to eth0-v ?) but I could run
> ./pfcount by itself and ./pfcount -i and ./pfcount -m. So what could be
> wrong here? How about the extra information I asked just now should is
> there anything extra? Thank you.
>
> Regards,
> Frwa.
>
> On Wed, Jul 11, 2012 at 11:11 PM, Alfredo Cardigliano <
> cardigliano [at] ntop> wrote:
>
>> Frwa
>> it is working for me, please update from SVN and check with:
>> ./pfcount -i eth0-v -m
>> If it is still not working please tell us how to reproduce it (card
>> model, drivers version, a .pcap)
>>
>> Regards
>> Alfredo
>>
>> On Jul 11, 2012, at 4:53 PM, frwa onto wrote:
>>
>> Dear Alfredo,
>> Ok I could get the mac properly but the ip is
>> showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all
>> this values so what are equivalent for ipv6.
>>
>> h->extended_hdr.parsed_header_len
>> h->extended_hdr.parsed_pkt.ipv4_tos
>> h->extended_hdr.parsed_pkt.l4_src_port
>> h->extended_hdr.parsed_pkt.l4_dst_port
>> h->len
>> h->extended_hdr.parsed_pkt.tcp.flags,
>> proto2str(ip->ip_p)
>> h->extended_hdr.parsed_pkt.tcp.ack_num
>> h->extended_hdr.parsed_pkt.tcp.seq_num
>> h->extended_hdr.pkt_hash
>>
>> Regards,
>> Frwa.
>>
>> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <
>> cardigliano [at] ntop> wrote:
>>
>>> Frwa
>>> please have a look at PF_RING/userland/examples/pfcount.c:395
>>>
>>> Regards
>>> Alfredo
>>>
>>> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>>>
>>> > Dear All,
>>> > We are using pfcount codes as our base. We would like
>>> to capture IPV6 information so we I guess it will all come under here rite
>>> if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to
>>> capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton
>>> ip intoa(ntohl(ip->ip_dst.s_addr)), source mac
>>> h->extended_hdr.parsed_pkt.smac, destination mac
>>> h->extended_hdr.parsed_pkt.dmac ,source port
>>> h->extended_hdr.parsed_pkt.l4_src_port and destination port
>>> h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information
>>> can we use this same method or it will be totally different? Thank you.
>>> > _______________________________________________
>>> > Ntop-misc mailing list
>>> > Ntop-misc [at] listgateway
>>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>


cardigliano at ntop

Jul 12, 2012, 2:08 AM

Post #8 of 10 (1559 views)
Permalink
Re: IPV6 informaton [In reply to]

On Jul 12, 2012, at 10:59 AM, frwa onto wrote:

> Dear Alfredo,
> No problem. Beside that I notice IPV6 have eliminated quite a number of the header elements in comparison to IPV4. I notice tos,header length, packet length , flags, protocol, ackNum, sequence number and header cs are not there right. But when I do this h->len,proto2str(ip->ip_p) and h->extended_hdr.pkt_hash) still give me some values are those valid or not?

Yes

Alfredo

>
> Regards,
> Frwa.
>
> On Thu, Jul 12, 2012 at 4:43 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
> Frwa
> sorry:
> ./pfcount -i eth0 -v -m
> (with a whitespace, eth0 is the interface name, put your)
>
> Alfredo
>
> On Jul 11, 2012, at 5:29 PM, frwa onto wrote:
>
>> Dear Alfredo,
>> I tried and got this ./pfcount -i eth0-v -m
>> pfring_open error [Invalid argument] (pf_ring not loaded or perhaps you use quick mode and have already a socket bound to eth0-v ?) but I could run ./pfcount by itself and ./pfcount -i and ./pfcount -m. So what could be wrong here? How about the extra information I asked just now should is there anything extra? Thank you.
>>
>> Regards,
>> Frwa.
>>
>> On Wed, Jul 11, 2012 at 11:11 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>> Frwa
>> it is working for me, please update from SVN and check with:
>> ./pfcount -i eth0-v -m
>> If it is still not working please tell us how to reproduce it (card model, drivers version, a .pcap)
>>
>> Regards
>> Alfredo
>>
>> On Jul 11, 2012, at 4:53 PM, frwa onto wrote:
>>
>>> Dear Alfredo,
>>> Ok I could get the mac properly but the ip is showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all this values so what are equivalent for ipv6.
>>>
>>> h->extended_hdr.parsed_header_len
>>> h->extended_hdr.parsed_pkt.ipv4_tos
>>> h->extended_hdr.parsed_pkt.l4_src_port
>>> h->extended_hdr.parsed_pkt.l4_dst_port
>>> h->len
>>> h->extended_hdr.parsed_pkt.tcp.flags,
>>> proto2str(ip->ip_p)
>>> h->extended_hdr.parsed_pkt.tcp.ack_num
>>> h->extended_hdr.parsed_pkt.tcp.seq_num
>>> h->extended_hdr.pkt_hash
>>>
>>> Regards,
>>> Frwa.
>>>
>>> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>>> Frwa
>>> please have a look at PF_RING/userland/examples/pfcount.c:395
>>>
>>> Regards
>>> Alfredo
>>>
>>> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>>>
>>> > Dear All,
>>> > We are using pfcount codes as our base. We would like to capture IPV6 information so we I guess it will all come under here rite if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton ip intoa(ntohl(ip->ip_dst.s_addr)), source mac h->extended_hdr.parsed_pkt.smac, destination mac h->extended_hdr.parsed_pkt.dmac ,source port h->extended_hdr.parsed_pkt.l4_src_port and destination port h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information can we use this same method or it will be totally different? Thank you.
>>> > _______________________________________________
>>> > Ntop-misc mailing list
>>> > Ntop-misc [at] listgateway
>>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc


frwaonto at gmail

Jul 12, 2012, 2:11 AM

Post #9 of 10 (1559 views)
Permalink
Re: IPV6 informaton [In reply to]

Dear Alfredo,
Your yes is referring to which portion I am kind of
confuse? Do you mean those are still valid right? Thank you.

Regards,
Shai.

On Thu, Jul 12, 2012 at 5:08 PM, Alfredo Cardigliano
<cardigliano [at] ntop>wrote:

>
> On Jul 12, 2012, at 10:59 AM, frwa onto wrote:
>
> Dear Alfredo,
> No problem. Beside that I notice IPV6 have
> eliminated quite a number of the header elements in comparison to IPV4. I
> notice tos,header length, packet length , flags, protocol, ackNum, sequence
> number and header cs are not there right. But when I do
> this h->len,proto2str(ip->ip_p) and h->extended_hdr.pkt_hash) still give me
> some values are those valid or not?
>
>
> Yes
>
> Alfredo
>
>
> Regards,
> Frwa.
>
> On Thu, Jul 12, 2012 at 4:43 PM, Alfredo Cardigliano <cardigliano [at] ntop
> > wrote:
>
>> Frwa
>> sorry:
>> ./pfcount -i eth0 -v -m
>> (with a whitespace, eth0 is the interface name, put your)
>>
>> Alfredo
>>
>> On Jul 11, 2012, at 5:29 PM, frwa onto wrote:
>>
>> Dear Alfredo,
>> I tried and got this ./pfcount -i eth0-v -m
>> pfring_open error [Invalid argument] (pf_ring not loaded or perhaps you
>> use quick mode and have already a socket bound to eth0-v ?) but I could run
>> ./pfcount by itself and ./pfcount -i and ./pfcount -m. So what could be
>> wrong here? How about the extra information I asked just now should is
>> there anything extra? Thank you.
>>
>> Regards,
>> Frwa.
>>
>> On Wed, Jul 11, 2012 at 11:11 PM, Alfredo Cardigliano <
>> cardigliano [at] ntop> wrote:
>>
>>> Frwa
>>> it is working for me, please update from SVN and check with:
>>> ./pfcount -i eth0-v -m
>>> If it is still not working please tell us how to reproduce it (card
>>> model, drivers version, a .pcap)
>>>
>>> Regards
>>> Alfredo
>>>
>>> On Jul 11, 2012, at 4:53 PM, frwa onto wrote:
>>>
>>> Dear Alfredo,
>>> Ok I could get the mac properly but the ip is
>>> showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all
>>> this values so what are equivalent for ipv6.
>>>
>>> h->extended_hdr.parsed_header_len
>>> h->extended_hdr.parsed_pkt.ipv4_tos
>>> h->extended_hdr.parsed_pkt.l4_src_port
>>> h->extended_hdr.parsed_pkt.l4_dst_port
>>> h->len
>>> h->extended_hdr.parsed_pkt.tcp.flags,
>>> proto2str(ip->ip_p)
>>> h->extended_hdr.parsed_pkt.tcp.ack_num
>>> h->extended_hdr.parsed_pkt.tcp.seq_num
>>> h->extended_hdr.pkt_hash
>>>
>>> Regards,
>>> Frwa.
>>>
>>> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <
>>> cardigliano [at] ntop> wrote:
>>>
>>>> Frwa
>>>> please have a look at PF_RING/userland/examples/pfcount.c:395
>>>>
>>>> Regards
>>>> Alfredo
>>>>
>>>> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>>>>
>>>> > Dear All,
>>>> > We are using pfcount codes as our base. We would like
>>>> to capture IPV6 information so we I guess it will all come under here rite
>>>> if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to
>>>> capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton
>>>> ip intoa(ntohl(ip->ip_dst.s_addr)), source mac
>>>> h->extended_hdr.parsed_pkt.smac, destination mac
>>>> h->extended_hdr.parsed_pkt.dmac ,source port
>>>> h->extended_hdr.parsed_pkt.l4_src_port and destination port
>>>> h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information
>>>> can we use this same method or it will be totally different? Thank you.
>>>> > _______________________________________________
>>>> > Ntop-misc mailing list
>>>> > Ntop-misc [at] listgateway
>>>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc [at] listgateway
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>>
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>


cardigliano at ntop

Jul 12, 2012, 2:18 AM

Post #10 of 10 (1562 views)
Permalink
Re: IPV6 informaton [In reply to]

On Jul 12, 2012, at 11:11 AM, frwa onto wrote:

> Dear Alfredo,
> Your yes is referring to which portion I am kind of confuse? Do you mean those are still valid right? Thank you.

Yes (those are still valid) :-)

Alfredo

>
> Regards,
> Shai.
>
> On Thu, Jul 12, 2012 at 5:08 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>
> On Jul 12, 2012, at 10:59 AM, frwa onto wrote:
>
>> Dear Alfredo,
>> No problem. Beside that I notice IPV6 have eliminated quite a number of the header elements in comparison to IPV4. I notice tos,header length, packet length , flags, protocol, ackNum, sequence number and header cs are not there right. But when I do this h->len,proto2str(ip->ip_p) and h->extended_hdr.pkt_hash) still give me some values are those valid or not?
>
> Yes
>
> Alfredo
>
>>
>> Regards,
>> Frwa.
>>
>> On Thu, Jul 12, 2012 at 4:43 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>> Frwa
>> sorry:
>> ./pfcount -i eth0 -v -m
>> (with a whitespace, eth0 is the interface name, put your)
>>
>> Alfredo
>>
>> On Jul 11, 2012, at 5:29 PM, frwa onto wrote:
>>
>>> Dear Alfredo,
>>> I tried and got this ./pfcount -i eth0-v -m
>>> pfring_open error [Invalid argument] (pf_ring not loaded or perhaps you use quick mode and have already a socket bound to eth0-v ?) but I could run ./pfcount by itself and ./pfcount -i and ./pfcount -m. So what could be wrong here? How about the extra information I asked just now should is there anything extra? Thank you.
>>>
>>> Regards,
>>> Frwa.
>>>
>>> On Wed, Jul 11, 2012 at 11:11 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>>> Frwa
>>> it is working for me, please update from SVN and check with:
>>> ./pfcount -i eth0-v -m
>>> If it is still not working please tell us how to reproduce it (card model, drivers version, a .pcap)
>>>
>>> Regards
>>> Alfredo
>>>
>>> On Jul 11, 2012, at 4:53 PM, frwa onto wrote:
>>>
>>>> Dear Alfredo,
>>>> Ok I could get the mac properly but the ip is showing all 0000:0000:0000:0000:0000:0000: Besides that in ipv4 we have all this values so what are equivalent for ipv6.
>>>>
>>>> h->extended_hdr.parsed_header_len
>>>> h->extended_hdr.parsed_pkt.ipv4_tos
>>>> h->extended_hdr.parsed_pkt.l4_src_port
>>>> h->extended_hdr.parsed_pkt.l4_dst_port
>>>> h->len
>>>> h->extended_hdr.parsed_pkt.tcp.flags,
>>>> proto2str(ip->ip_p)
>>>> h->extended_hdr.parsed_pkt.tcp.ack_num
>>>> h->extended_hdr.parsed_pkt.tcp.seq_num
>>>> h->extended_hdr.pkt_hash
>>>>
>>>> Regards,
>>>> Frwa.
>>>>
>>>> On Wed, Jul 11, 2012 at 5:54 PM, Alfredo Cardigliano <cardigliano [at] ntop> wrote:
>>>> Frwa
>>>> please have a look at PF_RING/userland/examples/pfcount.c:395
>>>>
>>>> Regards
>>>> Alfredo
>>>>
>>>> On Jul 11, 2012, at 8:47 AM, frwa onto wrote:
>>>>
>>>> > Dear All,
>>>> > We are using pfcount codes as our base. We would like to capture IPV6 information so we I guess it will all come under here rite if(h->extended_hdr.parsed_pkt.eth_type == 0x0806). For ipv4 we managed to capture things like source ip intoa(ntohl(ip->ip_src.s_addr)), destinaton ip intoa(ntohl(ip->ip_dst.s_addr)), source mac h->extended_hdr.parsed_pkt.smac, destination mac h->extended_hdr.parsed_pkt.dmac ,source port h->extended_hdr.parsed_pkt.l4_src_port and destination port h->extended_hdr.parsed_pkt.l4_dst_port . In order to capture V6 information can we use this same method or it will be totally different? Thank you.
>>>> > _______________________________________________
>>>> > Ntop-misc mailing list
>>>> > Ntop-misc [at] listgateway
>>>> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc [at] listgateway
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc [at] listgateway
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc [at] listgateway
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc [at] listgateway
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.