This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dual Stack V4 and V6 interpretation

0

I'm doing a few packet captures for testing purposes with dual stack enabled (Both v4 and v6 addresses) but I'm unsure how to analyze the packets. Lets say I went to facebook (which has v6 enabled). Is there a way to use wireshark to determine what protocol (v4 or v6) that my browser ends up using for facebook. I see that it sends both A and AAAA queries and gets them back as well but I don't think it's possible for them to be using both. Does this relate to the response time? Thanks.

asked 27 Sep '12, 07:06

Sub's gravatar image

Sub
1111
accept rate: 0%


2 Answers:

2

Usually, clients prefer IPv6 connections if the DNS returns a AAAA answer AND the IPv6 stack has received a valid IPv6 prefix from it's default gateway router - meaning that there should be a valid route into the IPv6 internet.

If the application (webbrowser) is capable of supporting the "Happy Eyeballs" strategy it will open both IPv4 and Ipv6 connections at the same time and use the one with the faster response - so in that case the response time is a factor, because the slower connection will be torn down.

answered 27 Sep '12, 09:08

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

2

If teh DNS queries return both an AAAA record and an A record, then it is up to the application (browser) to decide to use IPv6 or IPv4. Most browsers will give preference to IPv6 over IPv4 by default. You can check by looking a bit further in the trace where there is a TCP SYN packet that connects to the IPvX address in the dns responses. You can then tell by the ethertype, the IP protocol being used or more easily by the IP addresses whether IPv6 or IPv4 was chosen by the application.

answered 27 Sep '12, 09:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for all the help! Would it also be acceptable to filter for http traffic and look for the text/html response and see what IP protocol that comes from?

(28 Sep '12, 08:05) Sub

Yes indeed :-)

(28 Sep '12, 08:12) SYN-bit ♦♦