Since my last blogposts covered many 6in4 IPv6 tunnel setups (1, 2, 3) I took a packet capture of some tunneled IPv6 sessions to get an idea how these packets look like on the wire. Feel free to download this small pcap and to have a look at it by yourself.
A couple of spontaneous challenges from the pcap round things up. ;)
At first, this is the pcap. Zipped with 7z, 19.5 Kbyte:
Two different tunnel endpoints were involved, both with tunnels from Hurricane Electric and its tunnel broker:
- 184.108.40.206, a Juniper SSG 140, tunneling to 220.127.116.11 for IPv6 prefix 2001:470:6d:a1::/64
- 18.104.22.168, a Cisco router, tunneling to 22.214.171.124 for IPv6 prefixes 2001:470:1F0B:1024::/64 and 2001:470:765B::/48
There are some IPv4 packets left within the trace intentionally, just to have some for reference. Within the trace you’ll find tunneled IPv6 connections with the following protocols:
- Ping aka ICMPv6 echo-request
- DNS via UDP
- DNS via TCP
- HTTPS aka TLS
IP Protocol 41
Basically, every IPv6 packet is encapsulated in IPv4, using the IP protocol number 41. This is *not* UDP or TCP, but its own protocol. Ref: IANA – Assigned Internet Protocol Numbers. Looking at it with Wireshark reveals the outer IPv4 packet with “Protocol: IPv6 (41)”, as well as the inner IPv6 packet with its actual payload:
Note that Wireshark displays the IPv6 source and destination address in the packet list and NOT the IPv4 ones. This can be confusing, especially when using display filters such as “ip”. Normally this should show ONLY IPv4 packets, but since those tunneled IPv6 packets are within IPv4, they are still present:
You can filter for some of those mentioned layer 7 protocols such as DNS, NTP, or ICMPv6:
TCP stream 0 shows an HTTP session, TCP stream 1 an HTTPS one:
While preparing some screenshots for this post, I came across some ideas for a packet challenge. Just for fun, as always. However, they are not related to those 6in4 packets, but quite generic. Please comment below for the answers!
- What’s the serial number of the Juniper SSG 140?
- What reference time source is used on the stratum 1 NTP server?
- Which operating system sent the ping?
- Which server (vhost) was accessed in TCP stream 4?
- How many authoritative DNS answers were sent from my lab?
- What are the authoritative name servers?
- Which DNSSEC algorithm is weberlab.de using?
- Which DNS client sent a cookie? What’s its value?
- What’s the first HTML line from the answer in TCP stream 2?
- How many different server TLS certificates are in the trace?
- What are the subject alternative names of the 1st certificate in TCP stream 5?
Have fun! ;)