• 08/06/2014
    8:06 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Understanding IPv6: A Sniffer Full Of 3s

Denise Fishburne explores Wireshark sniffer traces in order to understand the difference between IPv4 and IPv6 addressing.

"What the heck?" Yup, that pretty much summed up my confusion the first time I saw it. A sniffer trace full of threes.

The first thing it reminded me of was my days with Token Ring and locally administered addresses (LAAs). This was for two reasons:

  1. I could only see these MAC addresses being used as destination MACs, not as source MACs. This was the same with my experience with LAAs in token ring
  2. The MAC addresses seemed so pretty and clean, like the Token Ring LAA typically used for a 3745 IBM front-end process -- 4000.3745.0001. Just look at them. Four threes, followed by a bunch of zeros, and then just one little number.

Help from Wireshark

I hope you are familiar with Wireshark; I use it all the time. It shows "reality" on the wire, which is crucial if you are a network detective trying to solve a whodunit.

If you are familiar with Wireshark then you might know that I can configure how the MAC addresses are displayed in the columns via the Wireshark preferences. As you can see below, I have set the preferences to notresolve the MAC addresses for me, but to keep them unresolved.

The above Wireshark preference settings result in the below display, where all the MAC addresses are left unresolved.

Before we move on, let me ask you a question. Do you notice any pattern where the 33:33 destination MAC addresses are used? Look closely.

What's with that FF02:: stuff?

RFC 4291 section 2.4 lists the varying IPv6 address types. As we noticed in one of my previous blogs, FF00::/8 is of type multicast. In fact, FF02::5 and FF02::6 are OSPF, if you recall.

Getting some ideas now about what those 33:33 are?

Let's get Wireshark to help us here. We will modify the preferences to request that Wireshark actually resolves the MAC addresses when it displays its results.

And here are the new results:

Okay, now what do you see? Here's what I see:

  • Wireshark changed the "33:33" to "IPv6mcast"
  • "IPv6mcast" only shows up in the destination MAC if the destination IPv6 address is a multicast address (ff02)
  • Destination IPv6 address FF02::5 became IPv6mcast_00:00:00:00:05
  • Destination IPv6 address FF02::6 became IPv6mcast_00:00:00:00:06

Next page: Off to the RFCs!


Wireshark and Tshoot

Hello Denise,

Thanks for your IPv6, i've read all three posts, very educative.

I often use wireshark for learn more about proto, analyse frame and packets ...

Could you tell me in which real world case did you use wireshark for Tshoot ? (some examples if possible).





Re: Wireshark and Tshoot

Love love love wireshark.  Regardless of what "show" commands give you.... regardless of what the end users are saying... regardless of what theories people come up with for what is going on -- a sniffer trace just shows the facts... the truth.

For the past few years I've been working in a Customer Proof of Concept lab.  So the experiences of troubleshooting in a true and complex production network have not been my experience in recent years as they once were in previous jobs.  

For me, for one work year, I probably use wireshark an average of 4 times per week.  The improvements over the past few years have just been phenomenal. 


What I suggest - go for the Wireshark Certification. I did and I learned tons and tons. Realized, honestly, that how I have been using Wireshark for years is really just the tip of the iceberg to what it does.

Throughout the book (Laura's 900 page book) it will also go thru a great deal of real world scenarios.  And no.... I have no connection to Wireshark or Riverbed.  I just honestly believe very very strongly in wireshark.  It is "reality" on the wire.  Which is essential when troubleshooting. 

Re: Wireshark and Tshoot

I suspect that most of us use Wireshark in a very primitive fashion. Many years back, thanks to my wife (an SE for Network Associates) I discovered the incredible range of functions that Sniffer Pro offered beyond the most obvious packet capture and display, and my productivity with the tool increased tenfold. I'm sure that the same is true of Wireshark, with so many plugins, so certification does sound like a smart idea.