This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IPv6 Router Solicitation

0

Hello everyone,

Wireshark is a nice product for analyzing LAN traffic.

There seems to be a hole though in ICMPv6 sniffing implementation: I cannot see anywhere the ability to filter IPv6 Router Solicitation messages.

asked 22 Mar '13, 08:08

actionmystique's gravatar image

actionmystique
11447
accept rate: 0%

3 Answers:

1

When analyzing IPv6 traffic in Wireshark, you can simply use the filter icmpv6.type==133 to show only "Router Solicitation" messages.

When capturing, things get a little complicated. The BPF language is not yet updated to look into icmp6 headers. You can simply filter for icmp6 messages with the capture filter icmp6, but looking for a specific type does not work:

$ tcpdump -i en0 -d icmp6[1]=133
tcpdump: IPv6 upper-layer protocol is not supported by proto[x]
$

As long as there are no extension headers in the IPv6 header, you can use the filter ip6[40]=133 to capture only "Router Solicitation" messages.

To add this functionality, you can better report this at http://www.tcpdump.org/, as the bpf filter engine is implemented in libpcap/winpcap.

answered 22 Mar '13, 08:29

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 22 Mar '13, 08:55

Isn't the type for Router Solicitation 133? 135 is for Neighbor solicitation.

(22 Mar '13, 08:34) grahamb ♦

Thanks for your prompt answers.

The issue is that Router Solicitations don't even show up in the list of packets decoded by Wireshark.

I'm currently using Wireshark on a link between 2 routers in GNS3. One has an IPV6 statically configured address and is sending regular RA messages on the link. The other router has an interface configured with SLAAC, meaning it is waiting for a RA from the other router to auto-configure its IPv6 interface.

At bootup, I know the second router sends an RS to the first one since there's a 'debug ipv6 nd' on the latter. [I would like to upload a screenshot but apparently the permission is denied (errno 13)].

However no RS is shown in Wireshark, without any capture or display filter applied ...

(22 Mar '13, 08:44) actionmystique

OOPs, my mistake. There was an display filter applied.

However, icmpv6.type == 135 is Neighbor Solicitation, not Router Solicitation

icmpv6.type == 133 is correct.

Sorry!

(22 Mar '13, 08:54) actionmystique

Thanks @Grahamb, I corrected it :-)

(22 Mar '13, 08:56) SYN-bit ♦♦

It seems that 133 and 135 are easily confused today.

(22 Mar '13, 09:11) grahamb ♦

0

I presume you're meaning a capture filter and that there no icmpv6 equivalent of icmp[icmptype] == icmp-routersolicit. This appears to be true, but is more an issue for the pcap and WinPCap folks rather than Wireshark.

You can use a display filter though: icmpv6.type == 133

answered 22 Mar '13, 08:31

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

99 125.294551000 fe80::ffff:ffff:fffe ff02::2 ICMPv6 103 Router Solicitation

100 125.331293000 fe80::8000:f227:bec8:6189 fe80::ffff:ffff:fffe ICMPv6 151 Router Advertisement

answered 09 Jun '13, 18:22

Chris222444's gravatar image

Chris222444
1
accept rate: 0%

I'm not sure what this is an "answer" to? Wireshark can dissect ICMPv6, the original query was about capture filters for ICMPv6.

(10 Jun '13, 03:10) grahamb ♦