This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hoping to log teredo activity

0

Teredo has been loaded on my computer by someone in my house. It is not currently set to on I don't think. But I wanted to know is it possible to set up wireshark to record traffic on tereno if it is turned on at a later date so I can catch what is going on. Obviously the other user wouldn't turn on wireshark can it be left to record while closed? Trying to understand and do this any help would be hugely appreciated.

Thanks

asked 04 Jun '14, 14:56

crazygirl's gravatar image

crazygirl
1111
accept rate: 0%

edited 04 Jun '14, 15:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284


One Answer:

1

Teredo comes with Windows as a IPv6 network sub system since Windows Vista, so I doubt someone loaded it into your computer. You can verify its state by entering the following command at the command prompt:

netsh interface teredo show state

By default, it should show the type as "Client". For me, the command returns this:

Teredo Parameters

Type : disabled Server Name : teredo.ipv6.microsoft.com. Client Refresh Interval : 30 seconds Client Port : unspecified State : offline Error : none

It’s disabled for me since I turn it off on all my Windows PCs (together with ISATAP and 6to4, two other IPv6 transition techniques). You need to have an elevated (“run as administrator”) command line for this:

netsh interface teredo set state disabled

Teredo is already pretty much obsolete by now and rarely ever used to achieve IPv6 connectivity: Google IPv6 Adoption Graph

If you want to track if you are sending teredo packets you can capture with Wireshark. Filter on “udp.port==3544” to see if there is traffic on that port containing “Teredo IPv6 over UDP tunneling” headers.

answered 04 Jun ‘14, 15:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

when I command prompt ipconfig I get my regular connection info I expected but then I also get this

Tunnel adapter isatap.Speed: dns suffix: speed local link ipv6 address: with numbers

Tunnel adapter Teredo Tunneling PSEUDO-interface IPV6 has numbers Link local IPV6 address : has letters and numbers

none of this was on until yesterday. so my question is will shark run when closed? can I set it up while closed to capture and report to me what traffic is used on teredo tunneling? how do I do that? I think my teenage son is looking at porn. any help would be hugely appreciated he is only 12.

(05 Jun ‘14, 07:49) crazygirl

when I check its status it shows as client port: unspecified and its State as Dormant. how is it turned to active and sometimes dormant?

(05 Jun ‘14, 07:52) crazygirl

Sure, ISATAP and Teredo interfaces exist by default unless disabled. Wireshark doesn’t care about those interfaces because they are virtual interfaces that use your normal network card to communicate, so if you capture on your physical network card you can see what they are doing, too. That includes the tunneled traffic, yes.

Teredo becomes active automatically (unless completely disabled as I’ve shown in my answer above) when an IPv6 address is contacted and there is no IPv6 router available. So it is quite normal that in current networks it becomes active sometimes and “goes back to sleep” after a while.

Regarding the porn thing - there may be a browser history that you can check, which is less complicated than trying to understand network packets. That only works if he’s not using inkognito mode though.

(05 Jun ‘14, 07:59) Jasper ♦♦