This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Duplicated packets in a 6to4 tunnel ping

0

I've configured a 6to4 tunnel in Ubuntu and works like a charm. But when I research into a ping to ping6.google.com I see all the packets twice; duplicated. I left here a CAPTURE IMAGE

Why happens this?

asked 05 Dec '15, 07:27

ssoomm's gravatar image

ssoomm
6113
accept rate: 0%

Can you post a capture file?

(09 Dec '15, 08:34) cmaynard ♦♦

One Answer:

1

Check the protocol layers in the decode - my guess is that you see the IPv6 packet with and without the IPv4 tunneling layer. Wireshark decodes the top addresses for the packet list, so you always see the IPv6 addresses (twice, in this case).

answered 05 Dec '15, 08:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

To me @Jasper's explanation makes sense only if the gate to the tunnel is a virtual IPv6 interface, and the capture has been taken at both the physical ipv4 interface and the virtual ipv6 interface simultaneously. Is it the case?

(posting the capture instead of the screenshot would have removed all doubts)

(05 Dec '15, 08:51) sindy

@sindy I think this is not the case. The capture corresponds to the main IPv4 interface. By the way, is there anyway to show the interface of the captured packet in Wireshark?

(05 Dec '15, 09:19) ssoomm

Weird, it goes against my understanding of principles of Wireshark that a single captured packet could be shown twice in the packet list.

is there any way to show the interface of the captured packet in Wireshark?

Yes, there is: the topmost line of the packet dissection pane (the one in the middle) reads "138 bytes captured on interface 0" for frame No. 1; for frame No. 2, I guess you should see "104 bytes captured on interface 1". If you unfold the "frame" line, you'll see a dissection of the frame label fields (which are not part of the captured frame but a collection of additional information added during capture); there, you should see a more detailed description what interface 0 and interface 1 are.

(05 Dec '15, 09:35) sindy

6to4 probably tunnels it virtually on the same physical NIC, it's a translation technique. You get both IPv6 and IPv4 address on the same interface and see IPv6 packets twice. Native, and then tunneled.

(06 Dec '15, 06:21) Jasper ♦♦