This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark does not see Teredo and ISATAP Pseudo-Interfaces

0

Hello, I have installed on my PC several versions of wireshark. All of them show in the "Capture Interfaces" window three interfaces: the wired LAN interface, the wireless LAN interface, and a logical wireless interface. The last two are shown as "Microsoft Intefaces".

Wireshark deos not see the logical IPv6 interfaces (Teredo and ISATAP tunnels). The Teredo interface is working and it is correctly shown by Microsoft Network Monitor 3.4!

Is there any way to make Wireshark see the Teredo interface?

Thanks to all, giorgio

asked 25 Feb '11, 08:54

giorgio's gravatar image

giorgio
1111
accept rate: 0%

edited 27 Feb '11, 23:26

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

1

I don't know the answer to your question. It does bring up a question I have though. Is it necessary or beneficial to be able to see the logical teredo and ISATAP interfces? Since they aren't encrypted, I'd imagine the protocols stack properly. In that case, it might be possible to simply do a capture filter down to the protocol (for ISATAP) and for the port (Teredo).

(25 Feb '11, 16:22) Paul Stewart

If filtering on the Teredo port number (3544) we will be able to capture only packets during the initial packet exchange between the Teredo client and the Teredo Server. Once two Teredo clients have obtained their IPv6 addresses, they will use in the IPv4 packet exchange the UDP port numbers embedded in their IPv6 addresses. So we cannot filter on the Teredo port number. We can filter seeking for the Teredo prefix (2001:0000/32) inside the UDP packets. But in this way Wireshark will capture and show the packets, but will not decode them as IPv6 packets.

(26 Feb '11, 04:54) giorgio
1

In the last Teredo packet if you filter on "Teredo", you will expand and find "Destination Teredo Port". Then you need to decode everything to and from that port as Teredo. At that point, filtering on Teredo will show the maintenance communication and the transit communication. In the future maybe it will automagically do this like h323 and sip does.

(26 Feb '11, 09:44) Paul Stewart

Thanks Paul. I had never used the "decode" feature. It does work.

(27 Feb '11, 01:40) giorgio

I thought a lot about the original question. I personally think that Teredo and ISATAP tunnels should not show up as separate interfaces. However, it could make it much easier in certain instances. An example of this is the Cisco VPN adapter shows up as a separate interface. I guess in the case of Teredo and ISATAP, I feel like it is less of an interface and more of a "shim" protocol. I guess I can see it either way (show up as an interface or not). It would be nice if it would automatically decode the subsequent packets based on the setup though.

(27 Feb '11, 07:04) Paul Stewart

I totally agree with your last statement: " It would be nice if it would automatically decode the subsequent packets based on the (interface) setup". Thanks

(28 Feb '11, 09:45) giorgio
showing 5 of 6 show 1 more comments

One Answer:

0

This is probably a result of the way WinPcap, which is what Wireshark uses to capture network traffic on Windows, works. I don't know whether the WinPcap developers follow this site, but, if not, try contacting the WinPcap developers.

answered 27 Feb '11, 23:22

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%