Monitoring IPv6 with Wireshark

New Dust with Old Brooms

Logging IPv6 Traffic with Wireshark

If you have some familiarity with Wireshark, you'll recognize the following features of the Wireshark GUI:

  • Packet list: Displays each packet in a single line and some identification parameters (for example, target IP address and protocol).
  • Packet details: Log details for the selected packet.
  • Packet bytes: The raw bytes of the marked packet.

The IPv6 traffic on the local network can be visualized with the following simple steps: First determine the default gateway address using ipconfig. Make a note of this address and start Wireshark logging now. Pinging the default gateway address gives you the IPv6 address of the default gateway. Then stop Wireshark logging and analyze the outgoing and incoming packets.

Outgoing IPv6 Traffic

The outgoing IPv6 traffic on the local network is visualized as follows: The upper part of the Wireshark packet list shows the logged packets. For example, if you are only looking for ICMPv6 traffic, you need to suppress any other IPv6 traffic. To display only ICMPv6 traffic, type icmpv6 (in lower case) in the filter field. Then select the first ICMPv6 packet or scroll down to find the first packet tagged Echo (Ping) Request . When you select this packet, Wireshark displays the specifics of the packet in the packet details. The packet is usually an IPv6 packet for Ethernet v2. This Ethernet packet contains IPv6 on layer 2 and the ICMPv6 based on it.

Click on the Ethernet II tab to display the Ethernet details. In this case, the destination address in the Ethernet packet should match the MAC address of the default gateway. The sender address in the Ethernet packet should contain the MAC address of the sender of the ping message. The type field in the Ethernet packet contains the value 0x86dd. This value specifies that the following packet is an IPv6 datagram.

Click on the Internet Protocol Version tab to access the IPv6 details. The sender address in the IPv6 datagram should contain the IPv6 address of the ping message's sender, and the target address in the IPv6 datagram should match the IPv6 address of the default gateway.

Incoming IPv6 Traffic

The following steps are very similar to those for outgoing traffic analysis but differ in important details. You can analyze incoming IPv6 traffic on the LAN by first selecting the next ICMPv6 packet tagged Echo (ping) Reply from the Wireshark packet list. When you select this packet, the packet details provide the specifics of the packet. In this case also, the packet is usually an IPv6 packet for Ethernet v2 and here, too, the Ethernet packet of layer 2 contains IPv6 and ICMPv6 based on it.

Now click on the Ethernet II tab to display the Ethernet details. The target address in the Ethernet packet should contain the MAC address of the ping message's recipient. And the sender address in the Ethernet packet should match the MAC address of the default gateway. Also, in this case, the type field in the Ethernet packet returns the value 0x86dd. This value tells us that the subsequent packet is an IPv6 datagram.

A click on the Internet Protocol Version tab reveals the IPv6 details. In this case, the sender address in the IPv6 datagram should match the IPv6 address of the default gateway and the destination address in the IPv6 datagram should contain the IPv6 address of the ping message's recipient.

You can either quit the analysis and discard the recorded data or save the data in a file.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Detecting and analyzing man-in-the-middle attacks
    Wireshark and a combination of tools comprehensively analyze your security architecture.
  • IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
  • Autoconfiguring IPv6 Clients

    Most clients on a network need both an address and some environmental information such as a name server or a web proxy. This article investigates whether a recent operating system on an IPv6-only LAN can handle this.

  • Neglected IPv6 Features

    IPv6 is establishing itself in everyday IT life, and all modern operating systems from Windows, through Mac OS X, to Linux have it on board; but if you let IPv6 introduce itself into your environment, you could be in for some unpleasant surprises.

comments powered by Disqus