Analyze IPv6 Traffic in Tshark

Introduction

In this lab, you will learn to analyze IPv6 network traffic using Wireshark's command-line tool Tshark. You'll practice essential techniques such as capturing packets with IPv6 filters and examining specific packet details including hop limits and traffic classes.

Through practical exercises, you'll gain experience in capturing live IPv6 traffic and applying display filters to analyze saved captures. The lab covers fundamental commands through advanced analysis methods using Tshark's powerful features.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/capture_filters("Capture Filters") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") subgraph Lab Skills wireshark/packet_capture -.-> lab-548911{{"Analyze IPv6 Traffic in Tshark"}} wireshark/display_filters -.-> lab-548911{{"Analyze IPv6 Traffic in Tshark"}} wireshark/capture_filters -.-> lab-548911{{"Analyze IPv6 Traffic in Tshark"}} wireshark/packet_analysis -.-> lab-548911{{"Analyze IPv6 Traffic in Tshark"}} end

Capture IPv6 with -f "ip6"

In this step, you will learn how to capture IPv6 network traffic using Wireshark's capture filter option -f "ip6". This filter ensures only IPv6 packets are captured during the network sniffing process. IPv6 is the latest version of the Internet Protocol, designed to replace IPv4 with its larger address space. When analyzing network traffic, it's often useful to focus on specific protocols like IPv6 to reduce noise in your capture.

First, open a terminal in your LabEx VM by clicking on the terminal icon in the Xfce desktop or using the shortcut Ctrl+Alt+T. The terminal is where you'll execute all commands for this lab.
Navigate to the default working directory where we'll store our capture files:

cd ~/project

Start Wireshark with the IPv6 capture filter. This command tells Wireshark to only capture packets that use the IPv6 protocol:

sudo wireshark -k -f "ip6" -i any

Let's break down this command:

-k starts the capture immediately when Wireshark launches
-f "ip6" applies the IPv6 capture filter (only IPv6 packets will be captured)
-i any captures from all available network interfaces

You should see Wireshark's GUI open with only IPv6 packets being captured. If no IPv6 traffic is present on your network (which is common in many environments), you can generate some test traffic by pinging an IPv6 address:

ping6 -c 4 ipv6.google.com

The ping6 command sends ICMPv6 packets to test IPv6 connectivity. The -c 4 option sends exactly 4 packets before stopping.

Observe the captured packets in Wireshark. All displayed packets should be IPv6 packets. The packet list will show basic information like:
- Source IPv6 address (where the packet came from)
- Destination IPv6 address (where the packet is going)
- Protocol (what type of IPv6 traffic it is)
- Packet length and other basic details
To stop the capture when you're done analyzing, click the red square "Stop" button in Wireshark's toolbar. This will freeze the packet display so you can examine the captured traffic without new packets interfering with your analysis.

Filter IPv6 Packets with -Y "ipv6"

In this step, you will learn how to apply display filters to analyze captured IPv6 traffic using Wireshark's display filter option -Y "ipv6". This filter shows only IPv6 packets from an existing capture file, helping you focus on IPv6 traffic while ignoring other protocol packets.

First, ensure you have a capture file from the previous step. If not, we'll capture some IPv6 traffic first. The following command starts Wireshark capturing only IPv6 packets on all interfaces:

cd ~/project
sudo wireshark -k -f "ip6" -i any -w ipv6_capture.pcapng

(Let it run for 10-15 seconds to capture enough packets, then stop the capture by clicking the stop button in Wireshark)

Now we'll filter the captured IPv6 packets using Wireshark's display filter feature. The -Y option lets us specify what to show from the capture file:

sudo wireshark -r ipv6_capture.pcapng -Y "ipv6"

This command does two main things:

-r tells Wireshark to read from the specified capture file (ipv6_capture.pcapng)
-Y applies the display filter "ipv6" which shows only IPv6 packets

When Wireshark opens, you'll see only IPv6 packets displayed in the interface. Notice the display filter bar at the top shows "ipv6" as the active filter. This means all non-IPv6 packets are temporarily hidden from view.
Let's try some more specific IPv6 filters to understand how display filters work. These examples show how to narrow down the traffic:

## Filter only IPv6 ICMP packets (like ping6 traffic)
sudo wireshark -r ipv6_capture.pcapng -Y "icmpv6"

## Filter IPv6 traffic involving a specific address (here using localhost ::1 as example)
sudo wireshark -r ipv6_capture.pcapng -Y "ipv6.addr == ::1"

As you try different filters, observe how the packet list updates immediately. This real-time filtering helps you quickly find specific traffic patterns in large capture files. The display filter syntax is powerful - you can combine conditions to create very specific filters.

Check Hop Limits with -z ip6_hop,tree

In this step, you will learn how to analyze IPv6 Hop Limit values using Wireshark's statistics feature. The Hop Limit field in IPv6 is similar to the TTL (Time To Live) field in IPv4 - it specifies how many routers (hops) a packet can traverse before being discarded. This is a crucial mechanism to prevent packets from circulating indefinitely in the network.

First, navigate to the project directory where we'll work with capture files. This ensures all our files stay organized in one place:

cd ~/project

If you haven't created a capture file yet, we'll make one now that specifically captures IPv6 traffic. The -f "ip6" filter tells Wireshark to only capture IPv6 packets, while -i any means it will listen on all available interfaces:

sudo wireshark -k -f "ip6" -i any -w ipv6_hoplimit.pcapng

(Let the capture run for 10-15 seconds to collect enough packets, then stop it by clicking the stop button in Wireshark)

Now we'll use Tshark (the command-line version of Wireshark) to analyze the Hop Limit values. The -z ip6_hop,tree option generates a statistical tree showing the distribution of Hop Limit values in our captured packets:

sudo tshark -r ipv6_hoplimit.pcapng -z ip6_hop,tree

The output will display three important pieces of information about each Hop Limit value found in the packets:

The actual Hop Limit value (common values are 64, 128, or 255)
How many packets had that specific Hop Limit
What percentage of total packets that value represents

Here's what typical output looks like. Your actual numbers may vary depending on your network traffic:

===================================================================
IPv6 Hop Limit Tree
===================================================================
Hop Limit    Count     %
      64       12    60%
     128        6    30%
     255        2    10%
===================================================================

For a more detailed view that includes IPv6 addresses, we can use this command. The -q option makes the output quieter by suppressing packet count information:

sudo tshark -r ipv6_hoplimit.pcapng -z ip6_hop,ipv6 -q

Display Details with -V

In this step, we'll explore how to examine IPv6 packets in depth using Wireshark's verbose mode. The -V flag is particularly useful when you need to see all the technical details that make up a network packet, layer by layer. This helps in understanding how different protocols interact in IPv6 communication.

First, let's position ourselves in the correct working directory. This ensures we can access our capture files easily:

cd ~/project

If you don't already have a capture file, we'll create a new one specifically for IPv6 traffic. The following command starts a live capture:

sudo wireshark -k -f "ip6" -i any -w ipv6_verbose.pcapng

(Let the capture run for about 10-15 seconds to gather sufficient data, then stop it manually)

Now we'll use tshark to examine the captured packets in detail. The verbose mode (-V) is what gives us the complete breakdown:

sudo tshark -r ipv6_verbose.pcapng -V -c 5

Breaking down this command:

-r specifies the input file to read
-V activates verbose output showing all protocol layers
-c 5 limits output to 5 packets for easier initial analysis

The output will display several important sections:

Frame information (showing when and how the packet was captured)
Ethernet layer (MAC addresses and link-layer details)
IPv6 specifics (including version, traffic class, and flow labels)
Transport layer protocols (whether it's TCP, UDP or ICMPv6)
Actual payload data when available

When working with specific protocols, we can combine filters with verbose output. This example focuses only on ICMPv6 packets:

sudo tshark -r ipv6_verbose.pcapng -Y "icmpv6" -V -c 3

For documentation or later analysis, we can save the detailed output to a text file. This creates a permanent record of our examination:

sudo tshark -r ipv6_verbose.pcapng -V > ipv6_packet_details.txt

Summary

In this lab, you have learned key techniques for analyzing IPv6 traffic using Tshark, Wireshark's command-line tool. You practiced capturing IPv6 packets with the -f "ip6" filter and monitoring interfaces using -i any, while verifying results with ping6 test traffic.

Additionally, you explored advanced IPv6 analysis by applying display filters like -Y "ipv6", examining hop limits with -z ip6_hop,tree, and viewing detailed packet structures using the -V verbose option. These skills enable efficient IPv6 traffic inspection and troubleshooting in network environments.