Wireshark/ICMPv6 NDP

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze ICMPv6 Neighbor Discovery Protocol (NDP) traffic.

Note: To complete this activity, you must have an administrative user account or know the username and password of an administrator account you can enter when prompted.

Readings

edit

Preparation

edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Display Teredo Status

edit

To display Teredo status:

  1. Open an elevated/administrator command prompt.
  2. Type netsh interface teredo show state and press Enter.
  3. Observe the Teredo status.

Activity 2 - Disable Teredo

edit

If Teredo is currently enabled, disable it:

  1. Type netsh interface teredo set state disabled and press Enter.
  2. Use ipconfig to confirm that Teredo was disabled.

Activity 3 - Capture ICMPv6 NDP Traffic

edit

To capture ICMPv6 NDP traffic:

  1. Start a Wireshark capture.
  2. Type netsh interface teredo set state default and press Enter.
  3. Use ipconfig to display Teredo settings. Note your IPv6 addresses.
  4. Use ping 2001:4860:4860::8888 to ping an Internet host by IPv6 address.
  5. Close the command prompt.
  6. Stop the Wireshark capture.

Activity 4 - Analyze Neighbor Solicitation Traffic

edit

To analyze Neighbor Solicitation traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only ICMPv6 traffic, type icmpv6 (lower case) in the Filter box and press Enter.
  2. Select the first ICMPv6 packet labeled Neighbor Solicitation.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
  8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  9. Observe the Type, Target Address, and Source link-layer address.

Activity 5 - Analyze Neighbor Advertisement Traffic

edit

To analyze Neighbor Advertisement traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the next ICMPv6 packet labeled Neighbor Advertisement.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it matches the source link-layer address from the Neighbor Solicitation packet above.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Source address. Notice that it matches the target address from the Neighbor Solicitation packet above.
  8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  9. Observe the Type, Target Address, and Target link-layer address. Notice that the Neighbor Advertisement is a direct response to the Neighbor Solicitation in the previous packet.

Activity 6 - Analyze Multicast Listener Report Traffic

edit

To analyze Multicast Listener Report traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the next ICMPv6 packet labeled Multicast Listener Report Message v2.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Ethernet II to view the Ethernet details.
  5. Observe the Destination address. Notice that it starts with 33:33, the Ethernet multicast address for IPv6.
  6. Expand Internet Protocol Version 6 to view IPv6 details.
  7. Observe the Destination address. Notice that it begins with ff (ff00::/8), the IPv6 multicast range.
  8. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  9. Observe the Type and the Multicast Address Record Changed. The address ff02::1:3 is used for LLMNR.

Activity 7 - Analyze Router Solicitation Traffic

edit

To analyze Router Solicitation traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Scroll down to select the next ICMPv6 packet labeled Router Solicitation.
  3. Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Internet Protocol Version 6 to view IPv6 details.
  5. Observe the Source address and Destination address. Notice that the Destination address is ff02::2, the IPv6 multicast router address.

Activity 8 - Analyze Router Advertisement Traffic

edit

To analyze Router Advertisement traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Scroll down to select the next ICMPv6 packet labeled Router Advertisement.
  3. Observe the packet details in the middle Wireshark packet details pane. If this is a Teredo packet, you will see that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Teredo IPv6 Over UDP tunneling / Internet Protocol Version 6 / Internet Control Message Protocol v6 frame.
  4. Expand Internet Protocol Version 6 to view IPv6 details.
  5. Observe the Source address and Destination address. Notice that the Destination address matches the Source address in the Router Solicitation packet above.
  6. Expand Internet Control Message Protocol v6 to view ICMPv6 details.
  7. Observe Router Advertisement details.
  8. Expand ICMPv6 Option to view Prefix information.
  9. Observe Prefix details.
  10. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

Activity 9 - Disable Teredo

edit

If Teredo was initially disabled on your system, you should disable it again:

  1. Open an elevated/administrator command prompt.
  2. Type netsh interface teredo set state disabled and press Enter.
  3. Use ipconfig to confirm that Teredo was disabled.
  4. Close the command prompt to complete this activity.

References

edit