by Craig Miller
|Seeing packets on the wire|
Last month I wrote of tools which are useful in discovering IPv6 hosts, and prefixes on your network (see Tools of the Trade). In this post, I'd like to cover two more tools in more detail. I think of them as the X-Ray Vision tools for your network,
What is there to see?
Both of these tools will allow you to see the individual packets that are flowing on your network. Each has a protocol decoder which will present the packet in an easily human readable format. Through the decoding, you will see the ethernet header followed by the IP header, followed by the UDP or TCP header (in Scapy format: /Ethernet/IPv6/TCP).
With this information, you will be able to see check the EtherType field is correct (86DD for IPv6) or the actual source IPv6 address of a packet. For example, remember that IPv6 hosts have multiple IPv6 addresses, and it may not be clear from the outset which address the stack has selected as its source address.
tcpdumpis the oldest, and dates back to 1987. Therefore it takes a little learning to get used to it, but the efforts will quickly pay off. Although
tcpdumpwas initially just for troubleshooting TCP packets, it has long since been expanded to be a full fledged protocol decoder.
It is CLI-based, and therefore can be run on the far end of a ssh connection, making long distance troubleshooting possible, by actually seeing the packets flowing in a remote network half a globe away.
wiresharkis a GUI (Graphical User Interface) tool which grew out of the need for an open source alternative to the very expensive Network Associates Sniffer products in the 1990s. It runs on most OSs such as Windows, Linux, and MacOS X. For those who have used wireshark for sometime, you will remember than the original name was
ethereal. It has virtually replaced all the closed source protocol decoder tools, and has a very active development community.
As with any GUI-based tool, it is easier to use, with familiar menus, and easy capture start and stop buttons. Drilling down on individual packets is also quite straight forward as it uses a familiar hierarchical approach to headers (e.g. clicking the '+' displays the detail of the header).
But being GUI-based is a double-edged sword, easier to use, but harder to run when debugging a network on the other side of the globe.
Tying the two together
But one doesn't have to choose between the two. Each will read a previously saved capture file, typically in pcap format. Therefore it is possible to use
tcpdumpto capture on a distant network, and send the pcap file back to a local machine to be displayed with
wireshark. Of course, this can get tedious if repeated more than a few times.
tcpdumpsave the capture to a file use the
-woption. The following will capture 100 packets from interface
eth0to the file
tcpdump -c 100 -i eth0 -w mycap.pcap
mycap.pcapfile back to your local machine, you can view it with
wiresharkby just specifying the filename on the command line (or use the File->Open menu).
And there your remote network traffic will be displayed in all its protocol decoded glory!
Drinking from a firehose
You will quickly discover that unless you are on a small test network, you will quickly be overrun by the shear amount of packets. Like trying to find a needle in a haystack, without some sort of filter, finding the real packets of interest will be a challenge.
Capture filters to the rescue.
wiresharkborrowed the concept, and syntax of capture filters from
tcpdump. This is good, as you only have to learn one syntax for both tools.
Since this is a blog about IPv6,the two must useful capture filters are:
tcpdump -c 100 -i eth0 -w mycap.pcap ip6
Now when you drag the pcap file back to your local machine, only the IPv6 traffic will be displayed.
$ tcpdump -r mycap.pcap 11:21:59.728933 IP6 2607:c000:8100:5600:3003:203f:53b5:37f2 > 2607:f8b0:400a:804::1005: ICMP6, echo request, seq 1, length 64 11:21:59.743360 IP6 2607:f8b0:400a:804::1005 > 2607:c000:8100:5600:3003:203f:53b5:37f2: ICMP6, echo reply, seq 1, length 64
Another capture filter useful in debugging the mechanics of IPv6 on your network is icmp6. You will remember that IPv6 uses ICMPv6 for many things including arp-like MAC address resolution, and Router Advertisements (RAs). To capture only the ICMPv6 packets on your remote network.
tcpdump -c 100 -i eth0 -w mycap.pcap icmp6
As I mentioned
wiresharkuses the same syntax for capture filters. In order to use a capture filter with
wiresharkone has to start a capture with options. This will open a new dialog box with a Capture Filter button. You can type the capture filter in the blank on the right, or click on the button for a selection of common capture filters.
Is anyone out there?
Of course, sniffing a switched network (or even modern wireless networks), you will quickly discover you can only see the packets destined to the host where you are running
wireshark). Ethernet switches conveniently switch other traffic off of your LAN connection. This is good for reducing traffic congestion, but less good if you were interested in using your X-Ray glasses on the network.
Picking a centralized location on your network, such as your router, is often the best place for sniffing the network, since the router will see any packet that is destined to be forwarded off the network.
Because the router is such a good location to debug network issues, you can often find a packet capture application for the device. OpenWRT a popular open source distribution for home routers, and conveniently has
tcpdumpas a installable package.
The Internet is your friend
wiresharkare popular tools, there is a lot of good information on the internet. This post is not intended to be a definitive tutorial on the tools, but to help you get started looking in the right direction for debugging IPv6 networks with your X-Ray glasses. Here is a couple of good starting points.
Using your X-Ray Glasses
With these packet sniffer tools, you will see in great detail what is on your network. Using the capture filters, you can quickly debug or just explore how IPv6 is working on your network. Capture filters help you use your X-Ray Glasses wisely.