1

I am trying to obtain the protocol number from an IPV6 packet. Which one fo these fields do I have to use in order to achieve this.

print(cap[36].ipv6.field_names)

['version', 'ip_version', 'tclass', 'tclass_dscp', 'tclass_ecn', 'flow', 'plen', 'nxt', 'hlim', 'src', 'addr', 'src_host', 'host', 'dst', 'dst_host']
djangodude
  • 5,362
  • 3
  • 27
  • 39
Lyra Orwell
  • 1,048
  • 4
  • 17
  • 46
  • 2
    IPv6 does not have a protocol field like IPv4. Instead it has a `next header` field which is most likely `nxt` in your list. – Klaus D. Feb 15 '20 at 17:46
  • There may be option headers, so you must walk the Next Header until you get to the last Next Header. – Ron Maupin Feb 18 '20 at 18:51

1 Answers1

1

I'm unsure if this is the correct answer for your question. If it isn't please let me know and I will rework my answer.

capture = pyshark.FileCapture(pcap_file)
for packet in capture:
    if hasattr(packet, 'ipv6') and hasattr(packet, 'tcp'):

       source_address = packet.ipv6.src
       source_port = packet[packet.transport_layer].srcport
       print(f'TCP packet -- Source Address: {source_address} -- Source Port: {source_port}')

       destination_address = packet.ipv6.dst
       destination_port = packet[packet.transport_layer].dstport
       print(f'TCP packet -- Destination Address: {destination_address } -- Destination Port: {destination_port }')

    elif hasattr(packet, 'ipv6') and hasattr(packet, 'udp'):
    
       source_address = packet.ipv6.src
       source_port = packet[packet.transport_layer].srcport
       print(f'UDP packet -- Source Address: {source_address} -- Source Port: {source_port}')

       destination_address = packet.ipv6.dst
       destination_port = packet[packet.transport_layer].dstport
       print(f'UDP packet -- Destination Address: {destination_address} -- Destination Port: {destination_port}')

UPDATE:

I apologize for the delay in my response. Here is an updated answer, which hopefully solves the issue raised by Ron Maupin.

capture = pyshark.FileCapture(pcap_file)
for packet in capture:
    if "IPV6" in str(packet.layers):
       next_header_info = regex.findall(r'(Next Header:)\s(\w.+)\s(\W\d{0,3}\W)', str(packet.layers[1]))
       print(next_header_info)
       # Output 
       [('Next Header:', 'ICMPv6', '(58)')]
       [('Next Header:', 'ICMPv6', '(58)')]
       [('Next Header:', 'ICMPv6', '(58)')]
       [('Next Header:', 'IPv6 Hop-by-Hop Option', '(0)'), ('Next Header:', 'ICMPv6', '(58)')]
       [('Next Header:', 'ICMPv6', '(58)')]
       [('Next Header:', 'UDP', '(17)')]
       ...truncated
Life is complex
  • 15,374
  • 5
  • 29
  • 58
  • That only works if the IPv6 packet does not have any option headers. The last header in the chain of option headers will be the transport protocol. – Ron Maupin Feb 19 '20 at 01:16
  • @RonMaupin Could you please provide me an example packet with the option headers? Thanks. – Life is complex Feb 19 '20 at 03:18
  • If you are programming for IPv6, then you must be familiar with _[RFC 8200, Internet Protocol, Version 6 (IPv6) Specification](https://tools.ietf.org/html/rfc8200)_. Just reread [Section 4. IPv6 Extension Headers](https://tools.ietf.org/html/rfc8200#section-4) for the full explanation. – Ron Maupin Feb 19 '20 at 03:24
  • @RonMaupin Thanks for the reference. I changed the code, but I'm not sure if it completely solves the issue that you raised. – Life is complex Feb 19 '20 at 05:30
  • @RonMaupin does this update solve the issue that you raised? – Life is complex Nov 25 '20 at 15:35
  • Unfortunately, I'm not much of a Python programmer so I cannot be definitive, but it looks like you are walking the headers. The extension headers are not used all that often, but a proper application should take them into account. The only hitch I see is that IPv6 has extension headers to let you encrypt the packet payload, so it would not be possible to get to the real payload header in that case. I imagine that option being used more in an IPv6-only future, rather than tunneling packets for encryption. – Ron Maupin Nov 26 '20 at 01:53
  • @RonMaupin Yes, the example is walking all the headers in the IPV6 layer, Some logic could be added to catch a packet that might not contain these headers. I need more PCAPs to test that. And encryption is a whole other issue. – Life is complex Nov 26 '20 at 03:42