tcpdump says "expression rejects all packets"

2

I want to create a filter which has 2 conditions:-

  1. Filter packets with network. (src net 2a01:111:xxxx::/44)
  2. Filter based on tcp handshake alert messages. (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15)

Both filters work individually but when combined together with:-

sudo tcpdump -s 1024 -v -ni any "(src net 2a01:111:xxxx::/44) and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x15)",

it fails with error:

tcpdump: expression rejects all packets.

I'm not sure how logical AND of these 2 filters results in no packets to get filtered.

Abhijeet Rastogi

Posted 2019-10-14T18:49:47.560

Reputation: 2 801

Answers

2

tcpdump's filter syntax comes from libpcap, and libpcap's support for TCP-over-IPv6 is incomplete. So when you use the tcp keyword as the protocol for a square-bracket expression (like tcp[12]), it only applies to TCP-over-IPv4.

From deep within the pcap-filter(7) man page:

To access data inside the packet, use the following syntax:

proto [ expr : size ]

Proto is one of ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp, ip6 or radio, and indicates the protocol layer for the index operation. (ether, fddi, wlan, tr, ppp, slip and link all refer to the link layer. radio refers to the "radio header" added to some 802.11 captures.) Note that tcp, udp and other upper-layer protocol types only apply to IPv4, not IPv6 (this will be fixed in the future).

(emphasis mine)

Spiff

Posted 2019-10-14T18:49:47.560

Reputation: 84 656

Wow, that's unexpected and as always, man-page has the answer. Thanks @Spiff for the answer. – Abhijeet Rastogi – 2019-10-14T19:20:42.340

Asked: 2019-10-14T18:49:47.560

Viewed: 128 times

Active: 2019-10-14T19:14:24.240