Wireshark-users: Re: [Wireshark-users] message about "ipv6 not supported"
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 17 Sep 2008 16:06:44 -0700

On Sep 17, 2008, at 10:53 AM, Rachel McConnell wrote:

My libpcap version:

cue:~ rachel$ sudo tcpdump --version
tcpdump version 3.9.7
libpcap version 0.9.4

Well, that's odd - maybe a security update introduced a new version of libpcap in Tiger, but the 10.4.11 machine I have here has 0.8.3.

What does "sw_vers" print on that machine? And what does the command "which tcpdump" print?

If 0.8.3 supports ipv6 then I assume 0.9.4 should as well.

They both "support" it in the sense that the libpcap 0.8.3 and 0.9.4 source code both include IPv6 support.

However, when libpcap is built, it can be built with, or without, IPv6 support - and, in all current releases of libpcap from tcpdump.org , "without" is the default, so, if somebody configures and builds libpcap, they have to enable IPv6 support when configuring it.

Apple does that in the libpcap it supplies. Other people might not do so.

cue:~ rachel$ sudo tcpdump -d ip6
Password:
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2    jf 3
(002) ret      #96
(003) ret      #0

I'm afraid I can make no sense of that output though.

It says IPv6 is supported in the version of libpcap that tcpdump is using; it would have reported "ip6 not supported" otherwise.

Where did you get your Wireshark installation from?

I have several versions of WIreshark from various places so it's not
impossible there are some peculiar dependency trails.  The version I
got working finally is a development version 1.1.0 that I downloaded
from SourceForge as a generic tarball (it was marked Platform
Independent) and built by hand.  (I tried the dmg, then a darwin ports
version, and both failed - I have more detail on this if it would be
helpful.)

If you built, by hand, the version that says

	Wireshark Version 1.1.0

Compiled with GTK+ 2.12.9, with GLib 2.16.5, with libpcap 0.9.8, with libz 1.2.3, without POSIX capabilities, without libpcre, without SMI, without c-ares, without ADNS, without Lua, without GnuTLS, without Gcrypt, with MIT Kerberos,
	without PortAudio, without AirPcap.
NOTE: this build doesn't support the "matches" operator for Wireshark filter
	syntax.

	Running on Darwin 8.11.1 (MacOS 10.4.11), with libpcap version 0.9.8.

it was *not* built with the same version of libpcap that tcpdump is using - it's using some other version.

The dmg from the Wireshark Web site won't work as it's Leopard-only; the one from SourceForge might have the same problem.

I can't speak for the DarwinPorts version, but it might have installed its own version of libpcap (to work around a botch in the way that Tiger handles monitor mode on AirPort adapters), and they might not have built their version of libpcap with IPv6 support.

What do

	ls /usr/lib/libpcap*

	ls /usr/local/lib/libpcap*

print on your machine?