Suricata

protocol decoding¶

This is the easy part. the IPv6 packet is simply put inside the IPv4 packet via encapsulation. We may have a dedicated field before the IPv6 field but it will be enough to iterate other the block starting with 0x0 and to get the length of the block. Then jumping to the next block can be done. If it looks like an IPv6 header this is one!

protocol detection¶

This part is more tricky. The start of the exchange is made with a teredo-server. A negotiation is made and this lead to the choice by the teredo server of a teredo-relay (the real data are exchanged with the relay). A message is sent by toredo-server to indicate the teredo-relay params.
Then the teredo-client can send tunneled data to the teredo-relay.

I don't think using a match on 0x0 (0x0|0x1) is a sufficient criteria as there is too few bits. A possible detection method is to try to decode the protocol and if we found a IPv6 packet after a few jumps, we've won.

I attach a complete pcap (with data to relay) to the ticket.

I attach the patch against origin/master to the ticket. No configuration is needed to activate the decoding.

Merged, thanks Eric.

Can you also add teredo packet counter?

Counter merged as well, thanks Eric!