This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've configured a 6to4 tunnel in Ubuntu and works like a charm. But when I research into a ping to ping6.google.com I see all the packets twice; duplicated. I left here a CAPTURE IMAGE

Why happens this?

asked 05 Dec '15, 07:27

ssoomm's gravatar image

ssoomm
6113
accept rate: 0%

Can you post a capture file?

(09 Dec '15, 08:34) cmaynard ♦♦

Check the protocol layers in the decode - my guess is that you see the IPv6 packet with and without the IPv4 tunneling layer. Wireshark decodes the top addresses for the packet list, so you always see the IPv6 addresses (twice, in this case).

permanent link

answered 05 Dec '15, 08:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

To me @Jasper's explanation makes sense only if the gate to the tunnel is a virtual IPv6 interface, and the capture has been taken at both the physical ipv4 interface and the virtual ipv6 interface simultaneously. Is it the case?

(posting the capture instead of the screenshot would have removed all doubts)

(05 Dec '15, 08:51) sindy

@sindy I think this is not the case. The capture corresponds to the main IPv4 interface. By the way, is there anyway to show the interface of the captured packet in Wireshark?

(05 Dec '15, 09:19) ssoomm

Weird, it goes against my understanding of principles of Wireshark that a single captured packet could be shown twice in the packet list.

is there any way to show the interface of the captured packet in Wireshark?

Yes, there is: the topmost line of the packet dissection pane (the one in the middle) reads "138 bytes captured on interface 0" for frame No. 1; for frame No. 2, I guess you should see "104 bytes captured on interface 1". If you unfold the "frame" line, you'll see a dissection of the frame label fields (which are not part of the captured frame but a collection of additional information added during capture); there, you should see a more detailed description what interface 0 and interface 1 are.

(05 Dec '15, 09:35) sindy

6to4 probably tunnels it virtually on the same physical NIC, it's a translation technique. You get both IPv6 and IPv4 address on the same interface and see IPv6 packets twice. Native, and then tunneled.

(06 Dec '15, 06:21) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×43
×1

question asked: 05 Dec '15, 07:27

question was seen: 1,394 times

last updated: 09 Dec '15, 08:34

p​o​w​e​r​e​d by O​S​Q​A