tshark not able to read icmp6 fields
https://stackoverflow.com/questions/11800896
-
24-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am able to read/replay all the headers and fields with tshark until hitting IPv6 header (ethernet header & IPv6 header), but when I am trying to replay the pcap files to read icmpv6 fields, nothing is being displayed of those fields.
Is this a bug of tshark? Is there any alternative tool to read all the fields in all headers of a packet?
The version of tshark I am using is 1.2.11
Solution
Bro is a network traffic analysis tool with full IPv6 support, whereas tshark seems to struggle with IPv6. In Bro, you can get connection summaries by running it on a trace as follows:
bro -C -r trace.pcap
and inspect the resulting file conn.log in the same directory. You may find the accompanying tool bro-cut helpful to extract only a subset of the columns, e.g.,
bro-cut id.orig_h id.resp_h id.orig_p id.resp_p proto < conn.log
would extract the connection 5-tuple and print it to STDOUT, so that you can continue processing it with your favorite text munching tool.
