6in4 Traffic Capture

Since my last blogposts covered many 6in4 IPv6 tunnel setups (1, 2, 3) I took a packet capture of some tunneled IPv6 sessions to get an idea how these packets look like on the wire. Feel free to download this small pcap and to have a look at it by yourself.

A couple of spontaneous challenges from the pcap round things up. ;)

Note that this post is one of many related to IPv6. Click here for a structured list.

At first, this is the pcap. Zipped with 7z, 19.5 Kbyte:

Setup

Two different tunnel endpoints were involved, both with tunnels from Hurricane Electric and its tunnel broker:

  • 193.24.227.10, a Juniper SSG 140, tunneling to 216.66.86.114 for IPv6 prefix 2001:470:6d:a1::/64
  • 193.24.227.12, a Cisco router, tunneling to 216.66.80.30 for IPv6 prefixes 2001:470:1F0B:1024::/64 and 2001:470:765B::/48

There are some IPv4 packets left within the trace intentionally, just to have some for reference. Within the trace you’ll find tunneled IPv6 connections with the following protocols:

  • Ping aka ICMPv6 echo-request
  • DNS via UDP
  • DNS via TCP
  • NTP
  • HTTP
  • HTTPS aka TLS
  • Syslog

IP Protocol 41

Basically, every IPv6 packet is encapsulated in IPv4, using the IP protocol number 41. This is *not* UDP or TCP, but its own protocol. Ref: IANA – Assigned Internet Protocol Numbers. Looking at it with Wireshark reveals the outer IPv4 packet with “Protocol: IPv6 (41)”, as well as the inner IPv6 packet with its actual payload:

Note that Wireshark displays the IPv6 source and destination address in the packet list and NOT the IPv4 ones. This can be confusing, especially when using display filters such as “ip”. Normally this should show ONLY IPv4 packets, but since those tunneled IPv6 packets are within IPv4, they are still present:

You can filter for some of those mentioned layer 7 protocols such as DNS, NTP, or ICMPv6:

TCP stream 0 shows an HTTP session, TCP stream 1 an HTTPS one:

Spontaneous Challenges

While preparing some screenshots for this post, I came across some ideas for a packet challenge. Just for fun, as always. However, they are not related to those 6in4 packets, but quite generic. Please comment below for the answers!

  1. What’s the serial number of the Juniper SSG 140?
  2. What reference time source is used on the stratum 1 NTP server?
  3. Which operating system sent the ping?
  4. Which server (vhost) was accessed in TCP stream 4?
  5. How many authoritative DNS answers were sent from my lab?
  6. What are the authoritative name servers?
  7. Which DNSSEC algorithm is weberlab.de using?
  8. Which DNS client sent a cookie? What’s its value?
  9. What’s the first HTML line from the answer in TCP stream 2?
  10. How many different server TLS certificates are in the trace?
  11. What are the subject alternative names of the 1st certificate in TCP stream 5?

Have fun! ;)

Featured image “Charli Blake” by Thomas Hawk is licensed under CC BY-NC 2.0.

4 thoughts on “6in4 Traffic Capture

  1. Hi Johannes, as promised, here are my findings/answers to your questions that I previously sent to you by e-mail. Cheers, Sake

    1) What’s the serial number of the Juniper SSG 140?

    0185082008001541

    2) What reference time source is used on the stratum 1 NTP server?

    Reference ID: Unidentified reference source ‘PZF’

    3) Which operating system sent the ping?

    ICMPv6: Not windows, probably Linux
    – not “a…w” as payload, but binary 0..255
    – wrong IPv6 hop limit (62, so started at 64, not 128)

    ICMP: Not windows, probably Linux
    – not 32 bytes of payload, but 8 bytes
    – wrong IPv6 hop limit (234, so started at 255, not 128)

    4) Which server (vhost) was accessed in TCP stream 4?

    random.weberlab.de (both in SNI and in certificate)

    5) How many authoritative DNS answers were sent from my lab?

    3
    (use the filter : dns.flags.response == 1 && dns.count.auth_rr> 0)

    6) What are the authoritative name servers?

    ns1.weberdns.de
    ns2.weberdns.de

    7) Which DNSSEC algorithm is weberlab.de using?

    Algorithm: RSA/SHA-512 (10)

    8) Which DNS client sent a cookie? What’s its value?

    Source: 2001:470:1f0b:16b0:20c:29ff:fe7c:a4cb
    Client Cookie: b77d399e9b178df9

    9) What’s the first HTML line from the answer in TCP stream 2?

    10) How many different server TLS certificates are in the trace?

    Only one

    11) What are the subject alternative names of the 1st certificate in TCP stream 5?

    dNSName: ip-only.webernetz.net
    dNSName: ip.webernetz.net
    dNSName: ipv4-only.webernetz.net
    dNSName: ipv4.webernetz.net
    dNSName: ipv6-only.webernetz.net
    dNSName: ipv6.webernetz.net
    dNSName: random.weberlab.de

Leave a Reply

Your email address will not be published. Required fields are marked *