Tag Archives: Wireshark

Path MTU Discovery

Internet Access, Network, Routing, , , , , , ,

One of the mysteries for me in IP networks was the Path MTU Discovery (PMTUD) process. I’ve seldom seen any problems with the MTU at all. Fortunately, while troubleshooting some router issues, I captured several ICMP “packet too big” errors along with the original packets. 👍🏻

Let’s have a look at those PMTUD processes for IPv6 and legacy IP with Wireshark. Of course, these captured connections are part of the Ultimate PCAP as well, hence, you can download the most current version of it and analyze it by yourself.

Continue reading Path MTU Discovery

Dual-Stack PPPoE on a FortiGate Firewall

Fortinet, Internet Access, IPv6, , , , , , ,

You can use a FortiGate to connect to the Internet (that is: Dual-Stack!) directly in various ways. In my current setup, I’m using a PPPoE residential xDLS connection. It’s not that easy to configure everything correctly since it requires the use of many different protocols such as PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. But here it is:

Continue reading Dual-Stack PPPoE on a FortiGate Firewall

DHCPv6 Prefix Delegation on a FortiGate Firewall

DHCP/DHCPv6, Fortinet, IPv6, , , , , , ,

I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! ✅ Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:

Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall

Dual-Stack PPPoE on a Palo Alto Firewall

Internet Access, IPv6, Palo Alto Networks, , , , , , ,

If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)

So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:

Continue reading Dual-Stack PPPoE on a Palo Alto Firewall

It’s Always DNS! @ SharkFest’23 EU

Conference Talks, DNS/DNSSEC, , , , , ,

This time (2023) at the yearly Wireshark Developer and User Conference in Europe, I gave a talk about DNS. How could it have been any different –> The title simply had to be ‘It’s Always DNS‘. 😂

“This session dives deeper into the Domain Name System, covering recursive vs. iterative DNS queries, resource records types, TTL & caching, DNS errors, a little DNSSEC, flags, and of course: Wireshark with its useful display filters, custom columns, colouring rules, and so on. And we will explore some other tools to analyze and troubleshoot DNS even further.”

You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)

Continue reading It’s Always DNS! @ SharkFest’23 EU

Joining an Active Directory: A Packet Capture

Network, Windows, , , , , , , , , , ,

What happens on the network if you’re joining a Microsoft Active Directory domain? Which protocols are used? As I suspected, it’s a bit more complex than just seeing a single known protocol like HTTPS. ;)

Since a PCAP is worth a thousand words, I captured the process of a Windows PC joining an AD. Let’s have a look at it with Wireshark and NetworkMiner. And, as always, you’re welcome to download the packet capture to analyse it by yourself.

Continue reading Joining an Active Directory: A Packet Capture

DHCPv6 Prefix Delegation on Palo Alto’s NGFW

DHCP/DHCPv6, IPv6, Palo Alto Networks, , , , ,

Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the IPv6-Internet that is) on many kinds of ISP connections. Remember: To get a routed IPv6 prefix requires DHCPv6-PD (if you’re not a BGP-homed enterprise). Hence, without that feature, we could not connect to the Internet with a Palo directly.

With DHCPv6-PD, the firewall can receive a prefix from the ISP (commonly a /48 or a /56), while handing out /64s to downstream layer 3 interfaces. Here we go:

Continue reading DHCPv6 Prefix Delegation on Palo Alto’s NGFW

DHCPv6 Prefix Delegation

DHCP/DHCPv6, IPv6, , , , , , ,

What is DHCPv6 Prefix Delegation? Coming from IPv4, you’re already familiar with DHCP (for IPv4) which hands out IPv4 addresses to clients. The same applies to (stateful) DHCPv6: it hands out IPv6 addresses to clients.

However, with IPv6 we’re heavily dealing with subnets rather than just single addresses. Again, you’re familiar with IPv4: For an IPv4-based ISP connection, you’re getting either a single public IPv4 address or a small subnet such as a /29, /28, or the like for your WAN interface. For an IPv6-based ISP connection, you’re getting a subnet which includes multiple unique subnets to be used for other layer 3 segments rather than a single address (with NAT on the CPE). This is where DHCPv6 prefix delegation (commonly abbreviated as DHCPv6-PD) kicks in: It hands out IPv6 subnets to routers.

Let’s have a closer look:

Continue reading DHCPv6 Prefix Delegation

More Capture Details III

Network, , , , , , , , , , , ,

Another update of the Ultimate PCAP is available. Again, there are some special new packets in there which I want to point out here. Feel free to download the newest version to examine those new protocols and packets by yourself. Featuring: SNMPv3, WoL, IPMI, HSRP, Zabbix, Pile of Poo, and Packet Comments. ✅

Continue reading More Capture Details III

Contributing to Wireshark (without any coding skills!)

Wireshark, , , ,

For many years I was afraid to open new issues for open-source tools since I am not a coder at all and won’t ever be able to fix some of the problems. Many times I got answers like “The source is open, go ahead and fix it yourself”. This brought me to a point where I simply stopped proposing new ideas and features.

This has changed since I was at SharkFest’22 EUROPE (the Wireshark Developer and User Conference), especially at a session from Uli Heilmeier called “Contribute to Wireshark – the low hanging fruits” [PDF].

TL;DR: You don’t need to be a programmer to contribute to Wireshark! E.g., submit new feature requests, report bugs or write at the wiki.

And that is exactly what I would like to recommend to you. This post is about giving examples, that even minor errors and thoughts are appreciated by the Wireshark team. But, of course, if you actually have coding skills, please go ahead and fix some of the issues. ;)

Continue reading Contributing to Wireshark (without any coding skills!)

Basic NTP Client Test on Windows: w32tm

Monitoring, NTP, Windows, , , ,

When implementing NTP servers, it’s always an interesting part to check whether the server is “up and running” and reachable from the clients. While I’ve done many basic NTP checks out of Linux, I lacked a small docu to do this with Windows. It turned out that there’s no need for third-party software because Windows already includes a tool to test NTP connections: w32tm.

Continue reading Basic NTP Client Test on Windows: w32tm

Minor Palo Bug: ICMPv6 Errors sourced from Unspecified Address

IPv6, Palo Alto Networks, , , , ,

During my IPv6 classes, I discovered a (minor) bug at the NGFW from Palo Alto Networks: ICMPv6 error messages, such as “time exceeded” (type 3) as a reply of traceroute, or “destination unreachable” (type 1) as a reply of a drop policy, are not correctly sourced from the IPv6 address of the data interface itself, but from the unspecified address “::”. Here are some details:

Continue reading Minor Palo Bug: ICMPv6 Errors sourced from Unspecified Address

Verbindungsaufbau Deutsche Glasfaser

DHCP/DHCPv6, Internet Access, IPv6, , , , , , , , ,

Als netzwerktechnisches Spielkind beschäftige ich mich nicht nur mit den Netzwerken großer Firmenumgebungen, sondern auch mit meinem eigenen Anschluss daheim. Vor vielen Jahren habe ich dem echten Dual-Stack Anschluss der Deutschen Telekom mal auf die Finger geguckt – heute ist die Variante der Deutschen Glasfaser an der Reihe, welches zwar ein Dual Stack, aber ohne eigene öffentliche IPv4 Adresse ist. Quasi ein halbes DS-Lite. Kernfrage für mich war: Kann ich die Fritzbox (mit ihren mitgelieferten Presets für verschiedene ISPs) durch eine echte Enterprise-Firewall ersetzen, die ja leider nicht unbedingt alle Sprecharten wie PPPoE im Subinterface oder PPP IPv6CP unterstützen.

TL;DR: DHCP, DHCPv6-PD, RA.

Continue reading Verbindungsaufbau Deutsche Glasfaser

Stateful DHCPv6 Capture (along with Relaying)

DHCP/DHCPv6, IPv6, , , , , , ,

For my IPv6 training classes, I was missing a capture of a stateful DHCPv6 address assignment. That is: M-flag within the RA, followed by DHCPv6 messages handing out an IPv6 address among others. Therefore, I set up a DHCPv6 server on an Infoblox grid and furthermore used a Palo Alto NGFW as a DHCPv6 relay to it. I captured on two points: from the client’s point of view (getting to the relay) and from the server’s point of view (unicast messages from the relay). And since I was already there anyway, I additionally captured the same process for DHCPv4. So, here we go:

Continue reading Stateful DHCPv6 Capture (along with Relaying)