This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to read the icmpv6 flags for router advertisement

0

Hi,

I am running a wireshark capture on the LAN cape side i.e 192.168.0.x router side. I am looking for Router advertisement packets . I am running a display filter "icmpv6.type == 134". I want to read the 'M'(managed address configuration) bit, 'O'(other stateful configuration) bit, 'L' bit and 'A' bit from the captured file.

I am using Tshark command line as i am doing this for automation and cannot use wireshark GUI for reading these flags.I want to read these flags from the capture file , I am currently using ;

tshark -r <capturedfile> -R "icmpv6.type == 134" -w <newcapturedfile>

but it only gives the RA packets but I need to read the boolean flag bits.

-Gourab Majumdar.

asked 21 Oct '13, 21:42

Gourab%20Majumdar's gravatar image

Gourab Majumdar
11223
accept rate: 0%


One Answer:

0

but it only gives the RA packets but I need to read the boolean flag bits.

That's because you wrote the frames (option -w) that matched your filter into a new pcap file.

I want to read the 'M'(managed address configuration) bit, 'O'(other stateful configuration) bit, 'L' bit and 'A' bit from the captured file.

Please try this:

thsark -nr input.pcap -R "icmpv6.type == 134" -T fields -e frame.number -e ipv6.src -e ipv6.dst -e icmpv6.mip6.flag.m -e icmpv6.mip6.flag.o -E header=y -E separator=;

If you need more/other fields (flags), please try to find them here:

http://www.wireshark.org/docs/dfref/i/icmpv6.html
http://www.wireshark.org/docs/dfref/
tshark -G

Regards
Kurt

answered 28 Oct '13, 07:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

Thanks for the detailed filter. with the filter I am now getting the RA packets with the "M" and "O" flags/bits actually i want to display/read only those packets which are having M=1 and O=1 and not any others. right now I am getting all captures which are having those bits in the flags. I mean all RA packets. i tried the following :

tshark -nr Ra.pcap -R "icmpv6.type == 134" -T fields -e frame.number -e ipv6.src -e ipv6.dst -e icmpv6.mip6.flag.m==1 -e icmpv6.mip6.flag.o==1 -E header=y -E separator=;

but it did not work. how can we set the filter so that it reads only those packets which are having the bits SET and not others.

(28 Oct '13, 19:56) Koushik Gane...

The -e switches indicate which fields to include in the output, they aren't filters. To only output those packets with the required flags you'll need to adjust the filter following the -R switch. You should be able to use the expressions you have (incorrectly) used in the -e switches.

(29 Oct '13, 02:50) grahamb ♦

as @grahamb said, please use the following tshark command

thsark -nr input.pcap -R "icmpv6.mip6.flag.m == 1 or icmpv6.mip6.flag.o == 1" -T fields -e frame.number -e ipv6.src -e ipv6.dst -e icmpv6.mip6.flag.m -e icmpv6.mip6.flag.o -E header=y -E separator=;

(29 Oct '13, 04:04) Kurt Knochner ♦