Comment filtrer et analyser le trafic IPv6 capturé dans Wireshark

Introduction

In the realm of cybersecurity, understanding and analyzing network traffic is a crucial skill. This tutorial guides you through the process of capturing, filtering, and analyzing IPv6 traffic using Wireshark, a powerful network protocol analyzer.

IPv6 (Internet Protocol version 6) represents the next generation of internet protocols designed to eventually replace the widely used IPv4. As networks continue to evolve, security professionals must be proficient in monitoring both protocols. By the end of this lab, you will be equipped with practical knowledge to enhance your network security monitoring capabilities.

Installing and Setting Up Wireshark

Before we can capture and analyze IPv6 traffic, we need to install Wireshark on our Ubuntu system and perform some basic configuration.

Installing Wireshark

Let's begin by updating the package lists and installing Wireshark:

sudo apt update
sudo apt install -y wireshark

During the installation, you may be prompted whether non-superusers should be able to capture packets. For this lab, select "Yes" to allow non-root users to capture packets.

After installation completes, we need to add our user to the wireshark group to allow packet capturing without root privileges:

sudo usermod -a -G wireshark labex

For the changes to take effect, let's log out and back in:

newgrp wireshark

Verifying the Installation

To verify that Wireshark has been installed successfully, let's check its version:

wireshark --version

You should see output similar to the following:

Wireshark 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Launching Wireshark

Now let's launch Wireshark from the terminal:

wireshark &

The & symbol runs the application in the background, allowing you to continue using the terminal.

You should see the Wireshark application open with a list of available network interfaces. The interface might look similar to this:

Wireshark is now ready for capturing and analyzing network traffic. In the next step, we will generate some IPv6 traffic that we can capture and analyze.

Generating IPv6 Traffic for Capture

Before we can analyze IPv6 traffic, we need to generate some IPv6 packets on our network. In this step, we'll use various tools to generate IPv6 traffic.

Understanding IPv6 Basics

IPv6 addresses are 128-bit addresses typically written in hexadecimal notation with colons separating each group of 16 bits, like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. IPv6 offers several advantages over IPv4:

• Larger address space (128-bit vs 32-bit)
• Simplified header format for better routing efficiency
• Built-in security with IPsec
• Improved support for Quality of Service (QoS)

Checking IPv6 Connectivity

First, let's check if our system has IPv6 connectivity by examining the network interfaces:

ip -6 addr show

This command displays all IPv6 addresses assigned to network interfaces on your system. You should see output similar to:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::215:5dff:fe00:1/64 scope link
       valid_lft forever preferred_lft forever

The fe80:: addresses are link-local addresses that are automatically configured on IPv6-enabled interfaces.

Generating IPv6 Traffic

Let's generate some IPv6 traffic that we can capture with Wireshark. We'll use the ping6 command to send ICMPv6 echo requests to IPv6 addresses.

First, let's ping the IPv6 loopback address:

ping6 -c 4 ::1

This sends 4 ICMPv6 echo requests to the loopback address (::1). You should see output like:

PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.074 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.073 ms
64 bytes from ::1: icmp_seq=4 ttl=64 time=0.074 ms

--- ::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3072ms
rtt min/avg/max/mdev = 0.035/0.064/0.074/0.017 ms

Next, let's ping a well-known IPv6 address. Google's DNS servers support IPv6 and can be used for testing:

ping6 -c 4 2001:4860:4860::8888

If your system has public IPv6 connectivity, you should see successful ping responses. If not, you might see errors indicating no route to host.

Using netcat for IPv6 Traffic

We can also use netcat to generate IPv6 traffic. Let's open two terminal windows.

In the first terminal, start a netcat server listening on an IPv6 address:

nc -6 -l 8888

This starts a server listening on port 8888 for IPv6 connections.

In the second terminal, connect to this server:

nc -6 ::1 8888

Now you can type messages in either terminal, and they will be sent to the other terminal over IPv6. This creates TCP traffic that we can capture in Wireshark.

Type a few messages in each terminal to generate traffic, then press Ctrl+C in both terminals to close the connections.

Now that we have generated some IPv6 traffic, we're ready to capture and analyze it with Wireshark in the next step.

Capturing IPv6 Traffic with Wireshark

Now that we have generated some IPv6 traffic, we can use Wireshark to capture and examine it. In this step, we'll learn how to set up Wireshark to capture IPv6 packets.

Starting a Capture

First, launch Wireshark if it's not already running:

wireshark &

In the main Wireshark window, you'll see a list of available network interfaces. We want to capture on the interface that's handling our network traffic:

1. Locate the interface named lo (loopback) in the list
2. Double-click on this interface to start capturing packets on it

Alternatively, you can select the interface and click the "Start capturing packets" button (the blue shark fin icon) in the toolbar.

Wireshark will now start capturing all packets on the loopback interface, including any IPv6 traffic.

Generating Traffic During Capture

While Wireshark is capturing, let's generate some IPv6 traffic. Open a new terminal and run:

ping6 -c 10 ::1

This sends 10 ICMPv6 echo requests to the loopback address, which will be visible in Wireshark.

You should see packets appearing in the Wireshark window as they are captured. Each line represents a single packet.

Stopping the Capture

After generating some traffic, let's stop the capture:

1. Click the "Stop capturing packets" button (the red square icon) in the toolbar
2. Wireshark will now display only the packets that were captured during the session

Understanding the Wireshark Interface

The Wireshark interface consists of three main panels:

1. Packet List Panel (top): Shows all captured packets in sequential order
2. Packet Details Panel (middle): Shows the details of the selected packet in a hierarchical view
3. Packet Bytes Panel (bottom): Shows the raw bytes of the selected packet in hexadecimal and ASCII format

Let's find and select an IPv6 packet in the Packet List Panel. Look for packets with "IPv6" listed in the "Protocol" column.

When you select an IPv6 packet, the Packet Details Panel will show the structure of the IPv6 header, including:

• Version (should be 6 for IPv6)
• Traffic Class
• Flow Label
• Payload Length
• Next Header
• Hop Limit
• Source Address
• Destination Address

You can expand each field by clicking the arrow next to it to see more details.

Saving the Capture

Let's save our capture for later analysis:

1. Click on the "File" menu
2. Select "Save As"
3. Navigate to the /home/labex/project directory
4. Enter a filename like ipv6_capture.pcapng
5. Click "Save"

The captured packets are now saved in a file that can be opened later for further analysis.

ls -l /home/labex/project/ipv6_capture.pcapng

You should see output confirming the file was created:

-rw-r--r-- 1 labex labex 12345 Sep 10 12:34 /home/labex/project/ipv6_capture.pcapng

In the next step, we'll learn how to filter and analyze the IPv6 traffic we've captured.

Basic IPv6 Filtering in Wireshark

Wireshark can capture a large volume of packets, making it essential to filter the data to focus on specific traffic. In this step, we'll learn how to use display filters to isolate IPv6 traffic.

Understanding Wireshark Display Filters

Wireshark display filters allow you to show only packets that match specific criteria. The filter syntax is rich and powerful, enabling precise control over what packets are displayed.

Display filters are entered in the filter bar at the top of the Wireshark window. As you type, the background color provides feedback:

• Green: Valid filter syntax
• Red: Invalid filter syntax
• Yellow: Valid but potentially problematic filter

Basic IPv6 Filters

Let's start by opening our saved capture file:

1. Click on the "File" menu
2. Select "Open"
3. Navigate to /home/labex/project
4. Select ipv6_capture.pcapng
5. Click "Open"

Now, let's apply some basic IPv6 filters:

Filtering for all IPv6 traffic

To display only IPv6 packets, enter the following in the filter bar:

ipv6

Press Enter or click "Apply" to apply the filter. Only packets using the IPv6 protocol will be displayed.

Filtering by IPv6 Address

To filter packets by IPv6 source address:

ipv6.src == ::1

This shows only packets originating from the loopback address.

To filter packets by IPv6 destination address:

ipv6.dst == ::1

This shows only packets destined for the loopback address.

You can combine filters using logical operators:

ipv6.src == ::1 and ipv6.dst == ::1

This shows only packets where both source and destination are the loopback address.

Filtering by IPv6 Protocol

IPv6 uses a "Next Header" field to indicate the protocol encapsulated within the IPv6 packet. Common next header values include:

• 6: TCP
• 17: UDP
• 58: ICMPv6

To filter for ICMPv6 packets:

ipv6.nxt == 58

Or you can simply use:

icmpv6

To filter for IPv6 TCP packets:

ipv6.nxt == 6

Or equivalently:

ipv6 and tcp

Combining Filters

Wireshark filters can be combined using logical operators:

• and or &&: Both conditions must be true
• or or ||: At least one condition must be true
• not or !: Negates a condition

For example, to find all IPv6 packets except ICMPv6:

ipv6 and not icmpv6

To find packets that are either ICMPv6 echo requests or echo replies:

icmpv6.type == 128 or icmpv6.type == 129

Saving Filters

If you frequently use certain filters, you can save them for later use:

1. Enter your filter in the filter bar
2. Click the "Save this filter" button (plus sign on the right)
3. Enter a name for your filter
4. Click "OK"

To apply a saved filter, click the "Filter" button (funnel icon) and select your saved filter from the dropdown menu.

Let's save a filter for ICMPv6 packets:

1. Enter icmpv6 in the filter bar
2. Click the plus sign
3. Name it "ICMPv6 Traffic"
4. Click "OK"

Now you can quickly apply this filter whenever needed.

Using Filter Expressions from the Packet Details

Wireshark offers a convenient way to create filters from the packet details:

1. Select a packet in the packet list
2. In the packet details panel, right-click on a field
3. Choose "Apply as Filter" and then select:
   • "Selected" to filter for that exact value
   • "Not Selected" to exclude that value
   • "And Selected" to add the condition to the current filter
   • "Or Selected" to add an alternative condition

This makes it easy to build complex filters without memorizing field names.

Try this by:

1. Select an IPv6 packet
2. Expand the "Internet Protocol Version 6" section in the packet details
3. Right-click on the "Next Header" field
4. Select "Apply as Filter" > "Selected"

The filter bar will now show a filter for that specific next header value.

In the next step, we'll move beyond basic filtering to more advanced IPv6 analysis techniques.

Advanced IPv6 Analysis in Wireshark

Now that you're familiar with basic IPv6 filtering, let's explore more advanced analysis techniques in Wireshark to gain deeper insights into IPv6 traffic patterns.

IPv6 Protocol Analysis

Analyzing ICMPv6 for Neighbor Discovery

ICMPv6 plays a crucial role in IPv6 networks, especially for Neighbor Discovery Protocol (NDP), which replaces ARP in IPv4. Let's analyze NDP traffic:

1. Open Wireshark with our capture file
2. Apply the following filter to see all NDP messages:

   icmpv6.type >= 133 and icmpv6.type <= 137

This filter includes:

• Type 133: Router Solicitation
• Type 134: Router Advertisement
• Type 135: Neighbor Solicitation
• Type 136: Neighbor Advertisement
• Type 137: Redirect Message

If you don't see any NDP messages in your capture, let's generate some:

## In a new terminal, start a new Wireshark capture on the appropriate interface
wireshark -i eth0 &

## Then run this command to trigger neighbor solicitation
ping6 -c 2 ff02::1

This pings the IPv6 all-nodes multicast address, which should trigger neighbor discovery messages.

Analyzing IPv6 Extension Headers

IPv6 uses extension headers to include optional information. To filter for packets with extension headers:

ipv6.nxt != 6 and ipv6.nxt != 17 and ipv6.nxt != 58

This shows IPv6 packets that don't have TCP, UDP, or ICMPv6 as their next header, indicating they likely use extension headers.

Using Wireshark Statistical Tools

Wireshark provides several statistical tools that are valuable for analyzing IPv6 traffic.

IPv6 Conversation Statistics

To view IPv6 conversations:

1. Click on the "Statistics" menu
2. Select "Conversations"
3. Click on the "IPv6" tab

This displays all IPv6 conversations in your capture, showing source and destination addresses, packet counts, and byte counts.

You can sort the conversations by any column by clicking on the column header.

IPv6 Protocol Hierarchy

To see the distribution of protocols in your capture:

1. Click on the "Statistics" menu
2. Select "Protocol Hierarchy"

This shows a hierarchical view of protocols, with percentages of packets and bytes for each protocol. You can see what proportion of your traffic is IPv6, and within that, how much is ICMPv6, TCP, UDP, etc.

IPv6 Endpoint Statistics

To analyze IPv6 endpoints:

1. Click on the "Statistics" menu
2. Select "Endpoints"
3. Click on the "IPv6" tab

This shows all IPv6 addresses seen in the capture, along with packet and byte counts. It helps identify the most active IPv6 hosts.

Flow Graph Analysis

For a visual representation of packet exchanges:

1. Click on the "Statistics" menu
2. Select "Flow Graph"
3. In the options, ensure "IPv6 addresses" is selected for the flow type
4. Click "OK"

This creates a visual representation of packet flows between hosts, making it easier to understand communication patterns.

Exporting Data for Further Analysis

To export IPv6 data for analysis in other tools:

1. Click on the "File" menu
2. Select "Export Packet Dissections"
3. Choose "As CSV" (or another format depending on your needs)
4. Select which fields to export
5. Click "Save"

Let's export some basic IPv6 information:

## Create a simple export from the command line
tshark -r /home/labex/project/ipv6_capture.pcapng -T fields -e frame.number -e ipv6.src -e ipv6.dst -e ipv6.nxt -E header=y -E separator=, > /home/labex/project/ipv6_analysis.csv

This creates a CSV file with frame numbers, source and destination IPv6 addresses, and next header values.

To view the exported file:

cat /home/labex/project/ipv6_analysis.csv

You should see output similar to:

frame.number,ipv6.src,ipv6.dst,ipv6.nxt
1,::1,::1,58
2,::1,::1,58
...

Creating a Custom IPv6 Profile

For frequent IPv6 analysis, it's helpful to create a custom profile:

1. Click on the "Edit" menu
2. Select "Configuration Profiles"
3. Click the "+" button to add a new profile
4. Name it "IPv6 Analysis"
5. Click "OK"

Now you can customize this profile with your preferred IPv6 filters, column layouts, and colors. Whenever you need to analyze IPv6 traffic, you can switch to this profile.

To add a useful column for IPv6 analysis:

1. Right-click on any column header
2. Select "Column Preferences"
3. Click "+" to add a new column
4. For "Title", enter "Next Header"
5. For "Type", select "Custom"
6. For "Fields", enter "ipv6.nxt"
7. Click "OK"

This adds a column showing the IPv6 Next Header value, making it easier to identify the protocol encapsulated in each IPv6 packet.

With these advanced analysis techniques, you now have a comprehensive toolkit for investigating IPv6 traffic patterns, identifying potential issues, and gaining deeper insights into IPv6 network behavior.

Summary

In this lab, you have learned how to effectively capture, filter, and analyze IPv6 traffic using Wireshark, a powerful network analysis tool.

You started by installing and configuring Wireshark on your Ubuntu system, then generated IPv6 traffic for analysis. You learned how to capture this traffic and save it for detailed examination.

Next, you mastered basic IPv6 filtering techniques, allowing you to focus on specific aspects of IPv6 communications. You also explored advanced analysis methods, including:

• Analyzing ICMPv6 traffic for Neighbor Discovery Protocol
• Examining IPv6 extension headers
• Using Wireshark's statistical tools to gain insights into conversations and endpoints
• Creating visual flow graphs to understand communication patterns
• Exporting data for further analysis
• Customizing Wireshark with profiles optimized for IPv6 analysis

These skills are essential for modern network security professionals as IPv6 adoption continues to grow. The ability to effectively monitor, analyze, and troubleshoot IPv6 traffic helps identify potential security threats, optimize network performance, and ensure proper network functionality.

By applying these techniques in your security practice, you can enhance your organization's network visibility and improve your ability to detect and respond to security incidents involving IPv6 traffic.