New Dust with Old Brooms

Logging IPv6 Traffic with Wireshark

If you have some familiarity with Wireshark, you'll recognize the following features of the Wireshark GUI:

• Packet list: Displays each packet in a single line and some identification parameters (for example, target IP address and protocol).
• Packet details: Log details for the selected packet.
• Packet bytes: The raw bytes of the marked packet.

The IPv6 traffic on the local network can be visualized with the following simple steps: First determine the default gateway address using ipconfig. Make a note of this address and start Wireshark logging now. Pinging the default gateway address gives you the IPv6 address of the default gateway. Then stop Wireshark logging and analyze the outgoing and incoming packets.

Outgoing IPv6 Traffic

The outgoing IPv6 traffic on the local network is visualized as follows: The upper part of the Wireshark packet list shows the logged packets. For example, if you are only looking for ICMPv6 traffic, you need to suppress any other IPv6 traffic. To display only ICMPv6 traffic, type icmpv6 (in lower case) in the filter field. Then select the first ICMPv6 packet or scroll down to find the first packet tagged Echo (Ping) Request . When you select this packet, Wireshark displays the specifics of the packet in the packet details. The packet is usually an IPv6 packet for Ethernet v2. This Ethernet packet contains IPv6 on layer 2 and the ICMPv6 based on it.

Click on the Ethernet II tab to display the Ethernet details. In this case, the destination address in the Ethernet packet should match the MAC address of the default gateway. The sender address in the Ethernet packet should contain the MAC address of the sender of the ping message. The type field in the Ethernet packet contains the value 0x86dd. This value specifies that the following packet is an IPv6 datagram.

Click on the Internet Protocol Version tab to access the IPv6 details. The sender address in the IPv6 datagram should contain the IPv6 address of the ping message's sender, and the target address in the IPv6 datagram should match the IPv6 address of the default gateway.

Incoming IPv6 Traffic

The following steps are very similar to those for outgoing traffic analysis but differ in important details. You can analyze incoming IPv6 traffic on the LAN by first selecting the next ICMPv6 packet tagged Echo (ping) Reply from the Wireshark packet list. When you select this packet, the packet details provide the specifics of the packet. In this case also, the packet is usually an IPv6 packet for Ethernet v2 and here, too, the Ethernet packet of layer 2 contains IPv6 and ICMPv6 based on it.

Now click on the Ethernet II tab to display the Ethernet details. The target address in the Ethernet packet should contain the MAC address of the ping message's recipient. And the sender address in the Ethernet packet should match the MAC address of the default gateway. Also, in this case, the type field in the Ethernet packet returns the value 0x86dd. This value tells us that the subsequent packet is an IPv6 datagram.

A click on the Internet Protocol Version tab reveals the IPv6 details. In this case, the sender address in the IPv6 datagram should match the IPv6 address of the default gateway and the destination address in the IPv6 datagram should contain the IPv6 address of the ping message's recipient.

You can either quit the analysis and discard the recorded data or save the data in a file.