What you want is
ip6 and dst port 179
"ip6" is a primitive token in the filter language, and, for better or worse, if
you want to use a primate as a string argument to something such as "proto",
you have to quote it, e.g.:
tcpdump -d proto \\ip6 and dst port 179
(the double backslash is because it's an escape character in the shell command
language, so if you want a literal backslash passed to the command, you need to
say "\\").
Unfortunately, "ip6" isn't a valid argument to "proto":
$ tcpdump -d proto \\ip6 and dst port 179
tcpdump: unknown ip proto 'ip6'
"proto {XXX}" is short for "ip proto {XXX} or ip6 proto {XXX}" (or just "ip
proto {XXX}" in versions of libpcap that don't support IPv6), which means the
argument to "proto" must be a protocol running atop IP, e.g. "proto tcp" or
"proto udp". I'll fix the pcap-filter man page to document that.
The pcap-filter man page does say
tcp, udp, icmp
Abbreviations for:
ip proto p or ip6 proto p
where p is one of the above protocols.
but doesn't indicate that "proto tcp", "proto udp", and "proto icmp" work like
"tcp", "udp", and "icmp".
(Note that just "dst port 179" matches both IPv4 and IPv6 packets to or from
TCP or UDP port 179.)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
