IPV6 Wireshark

IPv6 in Wireshark
IPv6 in Wireshark
Jeffrey L Carrell
Network Conversions
Network Consultant
IPv6 SME/Trainer
jeff.carrell@teachmeipv6.com
Twitter: @JeffCarrell_v6
IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 1
IPv6 in Wireshark
• IPv6 – a bit more than basics
• Wireshark basics
• Wireshark color rules, display filters,
columns, configuration profiles, and
packet annotation
• IPv6 in Wireshark: hands-on labs
Copyright © 2016 Jeffrey L. Carrell 1

IPv6 in Wireshark
IPv6 – a bit more than basics

• Quick IPv6 history
• IPv6 Address basics
• IPv6 Address Autoconfiguration
• IPv6 in applications
IPv6 Brief History

• Fall 1992 – IPv4 addresses will run out someday
• Oct 1993 – DHCP – RFC 1531 – easier IPv4 address
management
• Dec 1993 – IPng – RFC 1550 – basic specification
for next version IP
• May 1994 – NAT – RFC 1631 – temporary solution
before IPng available
• Dec 1995 – RFC 1883 – Basic specifications of IPv6
• Feb 1996 – RFC 1918 – Private Iv4 addresses
• Dec 1998 – RFC 2460 – Full IPv6 defined
• May 2005 – RFC 3927 – APIPA (IPv4)

IPv6 in Wireshark
Comparing IPv4 & IPv6 Addresses

• IPv4 addresses 232 = 4,294,967,296
• IPv6 addresses 2128 =
340,282,366,920,938,463,463,374,607,431,768,211,456
• which is 340 undecillion
– 340 trillion trillion trillion
• 79,228,162,514,264,337,593,543,950,336 times
more v6 addresses than v4
• If IP addresses weighed one gram each:
• IPv4 = half the Empire State Building
• IPv6 = 56 billion earths
What is an IPv6 Address?

• IPv6 addresses are very different than IPv4
addresses in the size, numbering system, and
delimiter between the numbers
• 128bit -vs- 32bit
• colon-hexadecimal -vs- dotted-decimal
• colon and double colon -vs- period (or “dot” for the real
geeks)
Valid IPv6 addresses are comprised of hexadecimal
numbers (0-9 & a-f), with colons separating groups
of four numbers, with a total of eight groups
(each group is known as “quibble” or “hextet”)
• 2001:0db8:1010:61ab:f005:ba11:00da:11a5

IPv6 in Wireshark
IPv6 default for subnet

• Based on the default definition an IPv6 address is
logically divided into two parts: a 64-bit network
prefix and a 64-bit interface identifier (IID)
• Therefore, the default subnet size is /64
• 2001:0db8:1010:61ab:f005:ba11:00da:11a5/64
64bits for Network Identifier 64bits for Interface Identifier Prefix Length
• A single /64 network yields 18 billion-billion

possible addresses
IPv6 shorthand notation

Option 1 2001::a52:0:0:0:3d16
Consecutive Zeros Leading Zeros
2001:0000:0000:0a52:0000:0000:0000:3d16
Leading Zeros Consecutive Zeros
Option 2 2001:0:0:a52::3d16

IPv6 in Wireshark
Incorrect shorthand notation

2001:0000:0000:0a52:0000:0000:0000:3d16
Consecutive Zeros Consecutive Zeros

Leading
Zeros
2001::a52::3d16
How many bits are represented by each “::”?
Address types
Address Type IPv4 IPv6

Unicast Yes Yes
- One-to-one communication
Broadcast Yes No
- One-to-many communication local
Multicast Yes Yes

- One-to-many communication local/remote
Anycast Yes Yes

- One-to-many communication nearest

IPv6 in Wireshark
Address scopes
Address Scope IPv4 IPv6

Link-Local Yes Yes
- Not routable (is temp, APIPA)
Global Unicast Aka public Yes

- Routable to Internet
Unique Local Aka private

RFC 4193
- Routable only within domain RFC 1918
IPv4/IPv6 special addresses

Address Type IPv4 IPv6
Default Route 0.0.0.0/0 ::/0
Unspecified 0.0.0.0/32 ::/128
Loopback 127.0.0.1/8 ::1/128
Multicast 224.0.0.0/4 ff00::/8
Link-Local 169.254.0.0/16 fe80::/10
Global Unicast All others 2000::/3
10.0.0.0/8
Unique Local 172.16.0.0/12 fc00::/7
192.168.0.0/16
192.0.2.0/24
Documentation 198.51.100.0/24 2001:db8::/32
203.0.113.0/24

IPv6 in Wireshark
IPv6 well known multicast addresses

Address Description Scope
ff01::1 All nodes address Interface-local
ff02::1 All nodes address Link-local
ff01::2 All routers address Interface-local
ff02::2 All routers address Link-local
ff05::2 All routers address Site-local
ff02::4 DVMRP routers Link-local
ff02::5 OSPF drothers Link-local
ff02::6 OSPF designated routers Link-local
ff02::9 RIPng routers Link-local
ff02::a EIGRPv6 routers Link-local
ff02::d All PIM routers Link-local
ff02::16 ALL MLDv2 routers Link-local
ff02::1:2 DHCPv6 servers/agents Link-local
ff02::1:3 DHCPv6 servers/agents Site-local
ff02::1:ffxx:xxxx Solicited node address Link-local
Interface ID from MAC address

Company ID Manufacturer Data
00 19 71 64 3F 00 IEEE 48-Bit MAC Address
Expand to EUI-64
00 19 71 FF FE 64 3F 00 (IEEE Extended Unique ID)
0xFFFE inserted
00000000
00000010 7th bit inverted – Local/Global bit
02 19 71 FF FE 64 3F 00 Invert the Local/Global Bit
0219:71ff:fe64:3f00 Modified EUI-64

Interface ID

IPv6 in Wireshark
Interface ID from Random Number

• RFC4941 - Privacy Extensions for Stateless Address
Autoconfiguration in IPv6
• Initial IID is derived based on mathematical
computation to create a “random 64bit number”
and appended to prefix to create a GUA
• An additional but different 64bit number is
computed, appended to prefix, and tagged
“temporary” for a 2nd GUA
• Temporary GUA should be re-computed on a
frequent basis
• Temporary GUA is used as primary address for
communications, as it is considered “more secure”
Lifetime states of an IPv6 address

Valid
Tentative Preferred Deprecated Invalid

Time
Preferred Lifetime
Valid Lifetime
• Tentative – address is in process of verification for uniqueness and is

not yet available for regular communications
• Valid – address is valid for use in communication based on Preferred
and Deprecated status
• Preferred – address is usable for all communications
• Deprecated – address can still be used for existing sessions, but not
for new sessions
• Invalid – an address is no longer available for sending or receiving

IPv6 in Wireshark
Comparing IPv4 & IPv6

Neighbor Discovery Protocols
IPv4 IPv6
ARP Request Neighbor Solicitation
ARP Reply Neighbor Advertisement
Router Solicitation Router Solicitation
Router Advertisement Router Advertisement
Duplicate Address
Gratuitous ARP
Detection
ARP Cache Neighbor Cache
IPv6 Neighbor Discovery Protocol

• Neighbor Discovery Protocol (NDP) is
defined in RFC 4861
• NDP provides the following basic IPv6
functions per node
• Discover what link they are one
• Learn link prefix addresses
• Discover the on-link router
• Discover on-link neighbors
• Keep track of active neighbors

IPv6 in Wireshark
NDP ICMPv6 message types

• ICMPv6 type 133 - Router Solicitation (RS)
• ICMPv6 type 134 - Router Advertisement (RA)
• ICMPv6 type 135 - Neighbor Solicitation (NS)
• ICMPv6 type 136 - Neighbor Advertisement (NA)
Duplicate Address Detection (DAD)

• When a node initially assigns an IPv6 address to its
interface, it must check whether the selected
address is unique
• If unique, the address is configured on interface
• To verify uniqueness, the node sends a multicast

Neighbor Solicitation message with the:
• dest MAC of 33:33:<last 32bits of IPv6 mcast addr>
• dest IPv6 addr of ff02::1:ff<last 24bits of proposed
IPv6 addr>
• source IPv6 of “::” (IPv6 unspecified addr)

IPv6 in Wireshark
IPv6 autoconfiguration options

Address ICMPv6 ICMPv6 Prefix Interface ID Other # of
Autoconfiguration RA (Type 134) RA (Type 134) Derived Derived from Configuration IPv6
Method Flags ICMPv6 Option from Options Addr
M Flag O Flag Prefix Info
A Flag L Flag
Link-Local Internal M-EUI-64
N/A N/A N/A N/A Manual 1
(always configured) (fe80::) or Privacy
2
Manual Off Off Off On Manual Manual Manual (LL,
Manual)
3
M-EUI-64 (LL, IPv6,
SLAAC Off Off On On RA Manual
or Privacy IPv6
temp)
Stateful 2
On N/R Off On DHCPv6 DHCPv6 DHCPv6 (LL,
(DHCPv6) DHCPv6)
3
Stateless M-EUI-64 (LL, IPv6,
Off On On On RA DHCPv6
DHCPv6 or Privacy IPv6
temp)
M-EUI-64 4
Combination RA (LL, IPv6,
or Privacy
Stateless & On N/R On On and DHCPv6 IPv6
and temp,
DHCPv6 DHCPv6
DHCPv6 DHCPv6)
IPv6 address autoconfiguration

• Assigning an IPv6 address:
• Link-Local (automatically assigned when IPv6 is enabled)
– Based on prefix fe80::/10, assigned as fe80::/64
– Interface ID (64 bit host portion) derived from either:
– Modified IEEE EUI-64 format (RFC 4291)
– Derived from MAC address
– Privacy format (RFC 4941)
– Derived from random number generator
NOTE: Requires no routers, no DHCPv6 servers,

no additional network systems support

IPv6 in Wireshark
Link-Local address basics

• Each interface must have one (and only one)
link-local address (generally autoconfigured by OS)
• Can/may be same on any/all interfaces

• Zone ID or Scope ID is used to differentiate which
interface is to be used for outbound communications
• Zone ID is appended to link-local address when used
for outbound communications
ping fe80::22c:8a5c:12ab:370f%vlan1 - switch
ping fe80::22c:8a5c:12ab:370f%12 - Windows
ping fe80::22c:8a5c:12ab:370f%eth0 - Linux
^destination host to ping ^intf to go out
Link-Local address status (Win7)

Windows 7 example:
C:\>ipconfig /all |more
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : example.com
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 00-9C-02-8F-61-F4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a120:9e8f:ac0a:69b2%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.105(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
C:\>netsh int ipv6 show address interface=12
Address fe80::a120:9e8f:ac0a:69b2%12 Parameters

-----------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.12
Valid Lifetime : infinite
Preferred Lifetime : infinite

IPv6 in Wireshark
Link-Local neighbors (Win7)

• Windows 7 example:
C:\>netsh int ipv6 show neighbors interface=12
Interface 12: Local Area Connection

Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
2001:470:1f0f:ee7::1 00-09-0f-db-04-d3 Stale (Router)
fe80::209:fff:fedb:4d3 00-09-0f-db-04-d3 Stale (Router)
ff02::1 33-33-00-00-00-01 Permanent
ff02::2 33-33-00-00-00-02 Permanent
ff02::c 33-33-00-00-00-0c Permanent
ff02::16 33-33-00-00-00-16 Permanent
ff02::fb 33-33-00-00-00-fb Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
ff02::1:ff00:1 33-33-ff-00-00-01 Permanent
ff02::1:ff07:101 33-33-ff-07-01-01 Permanent
ff02::1:ff0a:69b2 33-33-ff-0a-69-b2 Permanent
ff02::1:ff15:d7a3 33-33-ff-15-d7-a3 Permanent
ff02::1:ffdb:4d3 33-33-ff-db-04-d3 Permanent
Link-Local usage (Win7)

• Windows 7 example:
C:\>ping fe80::209:fff:fedb:4d3%12
Pinging fe80::209:fff:fedb:4d3%12 with 32 bytes of data:

Reply from fe80::209:fff:fedb:4d3%12: time<1ms
Reply from fe80::209:fff:fedb:4d3%12: time<1ms

IPv6 in Wireshark
Link-Local address status (Mac)

• Mac OS X 10.9.1 example:
mac:~ jcarrell$ ifconfig -L en0
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
options=27<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
ether 00:23:32:c9:f3:c4
inet6 fe80::223:32ff:fec9:f3c4%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.199 netmask 0xffffff00 broadcast 192.168.1.255
inet6 2001:5c0:1506:ef00::119 prefixlen 64 pltime 138 vltime 251
nd6 options=1<PERFORMNUD>
media: autoselect (100baseTX <full-duplex,flow-control>)
status: active
Link-Local neighbors (Mac)

mac:~ jcarrell$ ndp -an - show IPv6 neighbors
Neighbor Linklayer Address Netif Expire St Flgs Prbs
2001:5c0:1506:ef00::119 0:23:32:c9:f3:c4 en0 permanent R
fe80::1%lo0 (incomplete) lo0 permanent R
fe80::223:32ff:fec9:f3c4%en0 0:23:32:c9:f3:c4 en0 permanent R
fe80::a00:27ff:fe3f:556e%en0 8:0:27:3f:55:6e en0 2s R R

IPv6 in Wireshark
Link-Local usage (Mac)

mac:~ jcarrell$ ping6 fe80::a00:27ff:fe3f:556e%en0
PING6(56=40+8+8 bytes) fe80::223:32ff:fec9:f3c4%en0 -->
fe80::a00:27ff:fe3f:556e%en0
16 bytes from fe80::a00:27ff:fe3f:556e%en0, icmp_seq=0 hlim=64 time=0.366 ms
16 bytes from fe80::a00:27ff:fe3f:556e%en0, icmp_seq=1 hlim=64 time=0.630 ms
^C
--- fe80::a00:27ff:fe3f:556e%en0 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.366/0.498/0.630/0.120 ms
mac:~ jcarrell$ ping6 fe80::a00:27ff:fe3f:556e

PING6(56=40+8+8 bytes) fe80::223:32ff:fec9:f3c4%en0 -->
fe80::a00:27ff:fe3f:556e
ping6: sendmsg: No route to host
ping6: wrote fe80::a00:27ff:fe3f:556e 16 chars, ret=-1
Link-Local address status (HP)

• HP ProVision Layer3 switch example:
HP3500# show ipv6
Internet (IPv6) Service
IPv6 Routing : Enabled

ND DAD : Enabled
DAD Attempts : 3
VLAN Interfaces
Interface Name : vl2-client-vlan
IPv6 Status : Enabled
Layer 3 Status : Enabled
Address | Address
Origin | IPv6 Address/Prefix Length Status
---------- + ------------------------------------------- -----------
manual | 2001:470:c9:1692::f254/64 preferred
manual | fe80::9/64 preferred

IPv6 in Wireshark
Link-Local usage (HP)

• HP ProVision Layer3 switch example:
HP3500# show ipv6 neighbors
IPv6 ND Cache Entries

IPv6 Address MAC Address State Type Port
--------------------------------------- ------------- ----- ------- ----
fe80::2cab:3680:143d:603a%vlan2 000c29-34478a STALE dynamic 8
2001:470:56:1ff9::1 4001c6-a6aa81 REACH dynamic 1
HP3500# ping6 fe80::2cab:3680:143d:603a%vlan2

fe80::2cab:3680:143d:603a is alive, time = 5 ms
HP3500# ping6 fe80::2cab:3680:143d:603a [I did not supply vlan-id,

I simply pressed <ENTER>]
Specified address must include an interface scope. For example, to specify
the link-local address "fe80::1" on VLAN 1, use: fe80::1%vlan1.
Link-Local address status (Cisco)

• Cisco Layer3 switch example:
Cisco3750#show ipv6 interface vlan 2
Vlan2 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::5
Global unicast address(es):
2001:470:56:1652::F254, subnet is 2001:470:56:1652::/64
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::6
FF02::1:2
FF02::1:FF00:5
FF02::1:FF00:F254
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1

IPv6 in Wireshark
Link-Local usage (Cisco)

• Cisco Layer3 switch example:
Cisco3750#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface

FE80::250E:BB04:9D92:370E 0 000c.2997.60e8 STALE Vl2
2001:470:56:1652::102 1 000c.2997.60e8 STALE Vl2
FE80::F254 0 4001.c6a6.aa81 STALE Vl1
Cisco3750#ping ipv6 fe80::250e:bb04:9d92:370e

Output Interface: vlan 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::250E:BB04:9D92:370E, timeout is 2
seconds:
Packet sent with a source address of FE80::5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Cisco3750#ping ipv6 fe80::250e:bb04:9d92:370e

Output Interface: [I did not supply vlan-id, I simply pressed <ENTER>]
% Interface required

(DNS, domain,
M Flag O Flag Prefix Info time, tftp, etc)
A Flag L Flag Derived via
2
Manual)
3
M-EUI-64 (LL, IPv6,
or Privacy IPv6
temp)
Stateful 2
(DHCPv6) DHCPv6)
3
temp)
M-EUI-64 4
or Privacy
and temp,
DHCPv6 DHCPv6
DHCPv6 DHCPv6)

IPv6 in Wireshark

• SLAAC (Stateless address autoconfiguration), generally a /64
– Uses prefix information from Router Advertisement
– Generally creates 2 global addresses
– Cryptographically generated (RFC 3971 & 3972)
– Secure/unique interface ID
IPv6 SLAAC process

• A node sends a multicast Router Solicitation message to
the “all-routers” address ff02::2
• Router(s) respond with Router Advertisement message
containing A & L flags “on” and prefix(es) for stateless
autoconfiguration
• The node configures its own IPv6 address(es) with the
advertised prefix(es), plus a locally-generated Interface
ID
• Node checks whether the selected address(es) is(are)
unique (Duplicate Address Detection)
• If unique, the address(es) is(are) configured on interface
• Note – no DNS automatically configured

IPv6 in Wireshark
ICMPv6 - Router Advertisement

• Router Advertisement (RA) [key components]
• M flag – managed address configuration flag
(for stateful (DHCPv6) autoconfig)
• O flag – other configuration flag
(for stateless DHCPv6 autoconfig)
• Prf flag – router preference flag (ska priority)
• Router Lifetime – lifetime associated with the default router
• Prefix Length – number of bits in the prefix
• A flag – autonomous address-configuration flag (for SLAAC)
• L flag – on-link flag
• Valid Lifetime – length of time the address is valid for use in
preferred and deprecated states
• Preferred Lifetime – length of time the address is valid for
new communications
• Prefix – IPv6 address prefix
IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell
– For additional info, see RFC 4861 37
Router Advertisement packet (Stateless)

IPv6 in Wireshark

(DNS, domain,
2
Manual)
3
M-EUI-64 (LL, IPv6,
or Privacy IPv6
temp)
Stateful 2
(DHCPv6) DHCPv6)
3
temp)
M-EUI-64 4
or Privacy
and temp,
DHCPv6 DHCPv6
DHCPv6 DHCPv6)

• Stateful (DHCPv6), generally a /64
– DHCPv6 (RFC 3315)
– Uses prefix information defined in scope
– Interface ID (64 bit host portion) derived from scope
pool
– Reply includes “other” information
– DNS, domain, time server, tftp or download server, etc

IPv6 in Wireshark
IPv6 Stateful (DHCPv6) process

• A node sends a multicast Router Solicitation message to the
“all-routers” address ff02::2
containing M flag for stateful autoconfiguration
• The node sends a multicast Solicit message to the
“all-DHCP relay agents and servers” address ff02::1:2
• DHCPv6 server(s) responds with Advertise message(s)
containing IPv6 address and lifetimes
• The node sends a Request message to confirm and seeking
other information
• DHCPv6 server responds with Reply message
• Node checks whether the selected address is unique
(Duplicate Address Detection)
IPv6 Stateful (DHCPv6) process
• DHCPv6Solicit = DHCPDiscover (IPv4)
• DHCPv6Advertise = DHCPOffer (IPv4)
• DHCPv6Request = DHCPRequest (IPv4)
• DHCPv6Reply = DHCPAck (IPv4)

IPv6 in Wireshark

new communications
Router Advertisement packet (Stateful/DHCPv6)

IPv6 in Wireshark
Key difference in DHCP/DHCPv6

• Default gateway
• DHCP – configurable Router option in scope
• DHCPv6 – no configurable Router option in scope
(possible future, but no client OS support yet)
• An IPv6 node derives its default gateway from the

router’s Link-Local address when the L flag is set in
the Prefix information field of an RA
(! not from the network prefix !)
W2K8-R2 DHCPv6 server operation

IPv6 in Wireshark
DHCPv6 Unique Identifier - DUID

• Each DHCPv6 client and server has a DUID
• DHCPv6 servers use DUIDs to identify
clients for the selection of configuration
parameters and in the association of IAs
with clients
• DHCPv6 clients use DUIDs to identify a
server in messages where a server needs to
be identified
(ref RFC 3315)

Cloning clients and DUID

• When a client machine is cloned, all the
clones have the same DUID
• When 2 clients with the same DUID request
an IPv6 address, the DHCPv6 server
provides the same address to both clients
• When the 2nd client performs DAD, it
detects an IPv6 address conflict, and will
not go “on link”

IPv6 in Wireshark
Cloning clients and DUID

• For cloned Microsoft Windows clients, the DUID is
in the Windows Registry and can be removed with
a manual operation (regedit)
• This should be done before creating a clone, so that
when the clones clients are booted, new and
unique DUIDs will be created
• reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /f /v Dhcpv6DUID

(DNS, domain,
2
Manual)
3
M-EUI-64 (LL, IPv6,
or Privacy IPv6
temp)
Stateful 2
(DHCPv6) DHCPv6)
3
temp)
M-EUI-64 4
or Privacy
and temp,
DHCPv6 DHCPv6
DHCPv6 DHCPv6)

IPv6 in Wireshark

• Stateless DHCPv6
– Uses prefix information from Router Advertisement
– Cryptographically generated (RFC 3971 & 3972)
– Secure/unique interface ID
– Uses DHCPv6 for “other” information
– DNS, domain, time server, tftp or download server, etc
IPv6 Stateless DHCPv6 process

• A node sends a multicast Router Solicitation message to the
“all-routers” address ff02::2
containing A & L flags “on” and prefix(es), and O flag “on” for
stateless DHCPv6 autoconfiguration
• The node configures its own IPv6 address(es) with the
advertised prefix(es), plus a locally-generated Interface ID
• The node sends a multicast Information-Request message to
the “all-DHCP relay agents and servers” address ff02::1:2
• DHCPv6 server responds with Reply message
• Node checks whether the selected address is unique (Duplicate
Address Detection)

IPv6 in Wireshark

new communications
Router Advertisement packet (Stateless/DHCPv6)

IPv6 in Wireshark

(DNS, domain,
2
Manual)
3
M-EUI-64 (LL, IPv6,
or Privacy IPv6
temp)
Stateful 2
(DHCPv6) DHCPv6)
3
temp)
M-EUI-64 4
or Privacy
and temp,
DHCPv6 DHCPv6
DHCPv6 DHCPv6)
Combination Stateless and DHCPv6

• This is typically an undesired configuration
• Generally a result of enabling RA flags for one type
of address autoconfiguration requirement, and not
disabling other flags not required
• Result is too many/unwanted IPv6 GUA’s
• SLAAC – up to two possible GUA’s
• Stateful (DHCPv6) – one GUA
• Even a manual configured GUA
Remember, if there is a “Temporary” GUA,

it will be used for outbound communications

IPv6 in Wireshark

(DNS, domain,
2
Manual)
3
M-EUI-64 (LL, IPv6,
or Privacy IPv6
temp)
Stateful 2
(DHCPv6) DHCPv6)
3
temp)
M-EUI-64 4
or Privacy
and temp,
DHCPv6 DHCPv6
DHCPv6 DHCPv6)
Manual configured IPv6 addresses

• In Windows operating systems (server and client), does
not over-ride DHCPv6 functions (like it does in IPv4)
• If don’t want SLAAC or DHCPv6 addresses on network
segment, must disable A, M, and O flags in RA
• Do not need to configure default gateway, but can
• Remember, how does an IPv6 node derive a router ???
• May be able to manually configure Link-local address,

handy for routers so configuration is “portable”
• Generally not possible on client OSs

IPv6 in Wireshark
IPv6 notation in URL
IPv6 Characters URL Characters
https://[2001:0:0:a52::3d16]:5678/webpage.html
Enclose IPv6 Address in Optional Port ID

Square Brackets
For additional info, see RFC 5952
IPv6 GUA in URL

IPv6 in Wireshark
IPv6 Link-local in URL

• http://[fe80::f254%2511]
• fe80::f254 is destination, %11 is the outbound interface –
but specified as %2511 where the %25 is hex converted to
the % symbol
Note, this does not work in all browsers
Telnet/SSH over IPv6

IPv6 in Wireshark
Telnet/SSH over IPv6

group05-NetIron#show telnet
Console connections:
established, privilege super-user
you are connecting to this session
4 seconds in idle
Telnet server status: Enabled
Telnet connections (inbound):
1 established, client ip6 address
2001:470:1f0f:ee7::7:100, privilege super-user
using vrf default-vrf.
TFTP over IPv6

group05-NetIron#copy running-config tftp ipv6
2001:470:ba04:1652::102 group05.cfg

IPv6 in Wireshark
RDP over IPv6
IPv6 and DNS

• Bind forward and reverse resolution
; 4to6labs.com Dumped
<snip>
www.4to6labs.com. 3600 IN AAAA 2607:f2f8:a6d0:0:0:0:0:2
; 0.0.0.0.0.d.6.a.8.f.2.f.7.0.6.2.ip6.arpa Dumped ;
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.6.a.8.f.2.f.7.0.6.2.ip6.arpa.
86400 IN PTR www.4to6labs.com.

IPv6 in Wireshark
Wireshark
• Wireshark basics
• Wireshark
• color rules
• display filters
• columns
• configuration profiles
• packet annotation
• Wireshark labs!!!
Wireshark main view

1. Title bar — trace file name or
capture device name
2. Main menu — standard menu
3. Main toolbar — quick access
4. Display filter area — reduce
the amount of traffic you see
5. Packet List pane — summary
of each frame
6. Packet Details pane —
dissected frames
7. Packet Bytes pane — hex and
ASCII details
8. Status Bar — access to the
Expert, annotations, file
location, packet counts, and
profiles

IPv6 in Wireshark
Jeff’s IPv6 Wireshark
Coloring rules
• Colors help you focus on specific address,

protocols, events, and possibly find errors quickly

IPv6 in Wireshark
Color rule processing order
• Color rules read like a router ACL or firewall rule

• First color rule that matches wins
Color rule creation

2 3

IPv6 in Wireshark
Using Wireshark to view IPv6 pkts

• IPv6 display filter families
• ipv6
• icmpv6
• dhcpv6
• IPv6 related display filters:
• http://www.wireshark.org/docs/dfref/i/ipv6.html
Display filters – option 1
• The Filter bar will change colors as you type to signify correct
syntax for the filter
• Green – syntax is correct
• Red – syntax is incorrect
• Yellow – syntax is suspect
• The Filter dropdown will show last 10 filters used
• You can save Filter definitions for frequent use

IPv6 in Wireshark
Display filters – option 2
• In the Packet Details view, right-click on a specific field to

build a filter
Using Wireshark to view IPv6 pkts

IPv6 in Wireshark
Columns
• Right-click column
headings to rename,
• In the Packet Details view, right- align, etc
click on a specific field to Apply
as Column
Configuration profiles
• What they are
• Why/how you use
them
• What they contain
• How to share

IPv6 in Wireshark
Packet annotation
• Right click packet, select Packet Comment

Packet annotation

IPv6 in Wireshark
Wireshark demo #1 – watch me
Time for a Demo ☺
Wireshark demo #2 – follow me

• Open:
“1_Troopers2016_IPv6-in-Wireshark-
workshop.pcapng”
• Watch and follow me on this one
– Telnet
– SSH
– HTTP
– DNS
• Now it’s your turn…next slide please


IPv6 in Wireshark
Wireshark lab #1
• Create your own named profile
• Add delta time column
• Change time/date to time (only) and
in milliseconds
• Create/save pkt_comment filter
• Turn off Packet Bytes
Wireshark lab #2
• Find 1st pkt with dns.qry.name ==
"www.ipv6sandbox.com"
• make a note as to which pkt this is _____
• Find 1st pkt with AAAA DNS query response

for www.ipv6sandbox.com
• make a note as to which pkt this is _____
• what is the IPv6 address in the answer
section _________________________

IPv6 in Wireshark
Wireshark lab #3
• Find pkt with http.host ==
"www.ipv6sandbox.com"
• make a note as to which pkt this is ______
• Find v6 pkt with http.response.code == 200

• Find pkt with comment of 'this is the secret

pkt with the most important comment!‘
Wireshark lab #4 – IPv6-RA

• Inspect RA packets
• configure a display filter as
icmpv6.type == 134
• select an RA pkt, which flags are set to “1”:
M ___ O ____ L ____ A ____
• which IPv6 address autoconfiguration option
is this RA configured for?
SLAAC __ Stateful(DHCPv6) __ Stateless DHCPv6 __

IPv6 in Wireshark
Wireshark lab #5 – DHCPv6

• Inspect DHCPv6 packets
• configure a display filter as “dhcpv6”
• pick a specific client
• find the first of each of its DHCPv6 process pkts
– what is the dhcpv6 server’s v6 addr?
_______________________________
– what are the pkt numbers for:
Solicit ____ Advertise ____ Request ____ Reply ____
• what v6 addr did the client get assigned?
_______________________________
Wireshark demo #3 –
troubleshooting
• How to find rogue IPv6 routers
• icmpv6.type == 134
– look for more RA sources than you
expect to see
• How to find rogue DHCPv6 servers
• dhcpv6.msgtype == 2
– look for more DHCPv6 Advertisement
sources than you expect to see

IPv6 in Wireshark
Wireshark Labs 6 & 7 file

• Open:
“2_Troopers2016_IPv6-in-Wireshark-
workshop.pcapng”
• Now it’s your turn…next slide please
Wireshark lab #6 – rogue router?

• Inspect RA packets
• configure a display filter as
icmpv6.type == 134
• How many IPv6 routers do you see? _____
• What are the prefixes that they are
advertising?
• Which one do you think is not right (a
rogue)?
• Next slide

IPv6 in Wireshark
Wireshark lab #6 – rogue router

• You will be configuring a specific display
filter to view a portion of an IPv6 prefix
which contains “2bad” in the 4th hextet. It
has previously been determined that this
configuration of a network prefix is not
correct for this network
• ipv6.src[6:2] == 2b:ad
– 2001:db8:74c:2bad
• Next slide
Wireshark lab #6 – bad prefix

• In pkt 1915, the client attempts to ping a
valid IPv6 address for google.com.
• How did it know that was the correct address?
• Did the DNS reply back to the client on IPv6?
• What is happening,why does it look like it is

working – kinda????

IPv6 in Wireshark
Wireshark lab #7 – Did

you see that
• Look for all clients sending AAAA query.
Scroll through the list and view both IPv4
and IPv6 clients making and replying to
these queries. Specifically view if any IPv6
clients are making AAAA queries
– dns.qry.type == 28
–Do you see something interesting, if so,
what was it? _________________
IPv6 Essentials Cheat Sheet

http://teachmeipv6.com/IPv6-Essentials-Cheat-Sheet.pdf
IPv6 Essentials Cheat Sheet v1.7
IPv6 Addressing IPv6 Address Shorthand Notation
Address Ty pe IPv6 Nota tion Binary Prefix 2001:0db8:0006:1ab5:0000:0000:0000:ba11
Unspecified ::/128 0000...0 (12 8 bits) remove leading zeros to achieve
Loop bac k ::1/128 0000...1 (12 8 bits) 2001:db8:6:1ab5:0:0:0:ba11
additional reduction by replacing conse cutive field s of zeros with
Multicast ff00::/8 1111 1111 xx xx x xxx
double-colon “::” optio n (can only be done once) to achieve
Link-Local fe80::/10 1111 1110 1000 0000 2001:db8:6:1ab5::ba11
Globa l Unicas t (GUA) 20 00::/3 001x x xxx xxxx xxxx
Unique Local (ULA) fc00::/7 1111 110x xxxx x xxx IPv6 Header
6to4 (tunnel) 2002::/16 Version (4) Traffic Class (8) Flow Label (20)
Te redo (tunnel) 20 01:0000::/32 Pay load Length (16 ) Next Heade r (8) Hop Limit (8)
IPv4-Mapped IPv6 0:0:0:0:0:ffff:a.b.c.d Source Address (128)
NAT64 64:ff9b::/96 Destination Address (128)
Documenta tion 2001:0db8::/32 Version : IP version number, 6 for IPv6
Tra ffic Class : Similar to IPv4 ToS field. Used by nodes to iden tify and
Well Known Multicast Addresses distinguish betwee n different cla sses or prio rities of IPv6 packets
Address Description Scope Flow label : Use d by a source to label sequences o f packets for which it
requests special ha ndling by the IPv6 ro uters
ff01::1 All Nodes Address Interfa ce-local
Paylo ad Len gth : Le ngth of the IPv6 payload (ma y also include
ff02::1 All Nodes Address Link-loca l extension headers)
ff01::2 All Route rs Address Interfa ce-local Next Header : Identifies the type of head er following the IPv6 head er
Hop Limit : Decremented by 1 by every router th at fo rwards th e packet
ff02::2 All Route rs Address Link-loca l Source Address : IPv6 address of the originator o f the packet, will be a
ff05::2 All Route rs Address Site-local un icast address
Destination Addre ss : IPv6 address of the intend ed recipient or final
ff02::4 DVMRP Route rs Link-loca l de stination of the packe t, can b e unica st or multicast addre ss
ff02::5 OSPF IGP Drothers Link-loca l
ff02::6 OSPF IGP DRs Link-loca l Interface ID from MAC Address
ff02::9 RIPng Routers Link-loca l
00 18 41 23 6a 32 IEEE 48-bit MAC Address
ff02::a EIGRPv6 Routers Link-loca l
ff02::c Microsoft SSDP Link-loca l
00 18 41 23 6a 32 Expan ded to EUI-64
ff02::d All PIM Routers Link-loca l
ff02::12 VRRPv3 Link-loca l 00000000 ff fe 0xfffe inserted
ff02::16 All MLDv2 Routers Link-loca l
ff02 ::1:2 DHCPv6 Servers/Agents Link-loca l 00000010 Invert 7 th bit of 1 st Byte, known as the universa l/local bit
ff05 ::1:3 DHCPv6 Servers/Agents Site-local
02 18 41 ff fe 23 6a 32
ff0x::10 1 Network Time Protocol Varia ble
ff02::1:ffxx:xxxx Solicited-Node Address Link-loca l 0218:41ff:fe23:6a32 Mo dified EUI-64 Interface ID
ICMPv6 Message Types IPv6 Next Header Fields IPv6 Address Types
(Extension Headers)
128 Echo Request Link-Local – Automatica lly assign ed per inte rface, not
0 IPv6 Hop-byHop Option
129 Echo Reply routab le
41 IPv6 en cap sulation Globa l Unicas t Address (GUA) – Assigned by SLAAC,
130 Multicast Listener Query Stateful (DHCPv6), or manual, ro utab le to Internet
43 Routing Header fo r IPv6
131 Multicast L is te ner Report Unique Local Address (ULA) – Assig ned by SLAAC,
44 Fra gment Header for IPv6
Stateful (DHCPv6), or manual, not routable to Internet, is
132 Multic ast Listener Done
50 Encap Security Pay lo ad (ESP) routab le with in enterprise (like private a ddress)
133 Router Solicitation
51 Authentication Header (AH)
134 Router Advertisement Unicas t – one-to-one (link-local, unique local, glo bal)
59 No Next Header fo r IPv6 Anycast – one-to-nearest (allocated fro m Unicast)
135 Neighbor Solicitation Multic ast – one-to-ma ny (also replaces broadcast)
60 Destination Options for IPv6
136 Neighbor Advertisement
137 Redirec t Message Wireshark Display Filters for IPv6 IPv6 Neighbor Discovery Protocol
138 Route r Renumbering ipv6 – all IPv6 traffic Neighbor Solicitation (NS) – Neighbor
139 ICMP Node Information Qu ery address resolution (similar to IPv4 ARP)
icmpv6 – all IPv6 ICMPv6 traffic
Neighbor Adve rtisement (NA) – Response
140 ICMP Node Info rmation Response dhcpv6 – all DHCPv6 traffic to Ne igh bor Solicitation requests
143 Multicast Listener Report (MLDv2) icmpv6.type == 133 – all route r solicitations Route r Solicitation (RS) – Sent by nodes
icmpv6.type == 134 – all route r advertiseme nts “loo king” for IPv6 ro uters on-link
144 Home Ag ent Discovery Request
Route r Advertisements (RA) – Sen t
icmpv6.type == 135 – all neighbor solicitations
145 Home Agent Disco very Reply periodically by route rs and in respo nse to RS
icmpv6.type == 136 – all neighbor advertisements Duplicate Add ress De tection (DAD) – Sent
146 Mobile Prefix Solic itation
icmpv6.type == 137 – all redirect messages to own Solicited-Node Multicast Address
147 Mobile Prefix Advertisement
www.teachmeipv6.com jeff.carrell@teachmeipv6.com IPv6 Essentials Cheat Sheet v1.7 © 2015 Jeffrey L. Carrell

IPv6 in Wireshark
Resources
Resources

IPv6 in Wireshark
Resources
Resources

IPv6 in Wireshark
Resources
Resources

IPv6 in Wireshark
Thank You for Attending!
• jeff.carrell@teachmeipv6.com
• Twitter: @JeffCarrell_v6

IPV6 Wireshark

Uploaded by

Copyright:

Available Formats

IPV6 Wireshark

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPV6 Wireshark

Uploaded by

Copyright:

Available Formats

IPv6 in Wireshark

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 2

Copyright © 2016 Jeffrey L. Carrell 1

IPv6 – a bit more than basics

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 3

IPv6 Brief History

Copyright © 2016 Jeffrey L. Carrell 2

Comparing IPv4 & IPv6 Addresses

What is an IPv6 Address?

Copyright © 2016 Jeffrey L. Carrell 3

IPv6 default for subnet

• A single /64 network yields 18 billion-billion

IPv6 shorthand notation

Consecutive Zeros Leading Zeros

Leading Zeros Consecutive Zeros

Copyright © 2016 Jeffrey L. Carrell 4

Incorrect shorthand notation

Consecutive Zeros Consecutive Zeros

How many bits are represented by each “::”?

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 9

Address Type IPv4 IPv6

Multicast Yes Yes

Anycast Yes Yes

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 10

Copyright © 2016 Jeffrey L. Carrell 5

Address Scope IPv4 IPv6

Global Unicast Aka public Yes

Unique Local Aka private

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 11

IPv4/IPv6 special addresses

Copyright © 2016 Jeffrey L. Carrell 6

IPv6 well known multicast addresses

Interface ID from MAC address

00 19 71 64 3F 00 IEEE 48-Bit MAC Address

02 19 71 FF FE 64 3F 00 Invert the Local/Global Bit

0219:71ff:fe64:3f00 Modified EUI-64

Copyright © 2016 Jeffrey L. Carrell 7

Interface ID from Random Number

Lifetime states of an IPv6 address

Tentative Preferred Deprecated Invalid

• Tentative – address is in process of verification for uniqueness and is

Copyright © 2016 Jeffrey L. Carrell 8

Comparing IPv4 & IPv6

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 17

IPv6 Neighbor Discovery Protocol

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 18

Copyright © 2016 Jeffrey L. Carrell 9

NDP ICMPv6 message types

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 19

Duplicate Address Detection (DAD)

• To verify uniqueness, the node sends a multicast

Copyright © 2016 Jeffrey L. Carrell 10

IPv6 autoconfiguration options

IPv6 address autoconfiguration

NOTE: Requires no routers, no DHCPv6 servers,

IPv6 in Wireshark v1.5 - Copyright © 2016 Jeffrey L. Carrell 22

Copyright © 2016 Jeffrey L. Carrell 11

Link-Local address basics

• Can/may be same on any/all interfaces

Link-Local address status (Win7)