How to Capture and Analyze IPv6 Packets in Wireshark

Wireshark is the industry-standard network protocol analyzer that provides deep insight into IPv6 network traffic. This comprehensive guide covers everything from starting your first IPv6 packet capture to advanced analysis techniques for troubleshooting complex network issues.

Starting IPv6 Packet Capture

Setting Up Your Capture

1. Launch Wireshark with appropriate permissions (administrator/root access required for live capture)

2. Select your network interface from the interface list. Look for the interface with active IPv6 traffic, typically indicated by traffic graphs in the interface selector.

3. Start capturing by double-clicking the interface or clicking the shark fin icon in the toolbar.

4. Capture both IPv4 and IPv6 simultaneously - Wireshark captures all traffic by default, so no special configuration is needed to capture both protocol versions together.

Capture Filter vs Display Filter

Wireshark uses two types of filters with different purposes:

Capture Filters (applied before capture starts):

• Use Berkeley Packet Filter (BPF) syntax
• Filter: ip6 to capture only IPv6 traffic
• More efficient but cannot be changed during capture

Display Filters (applied after capture):

• Use Wireshark's own syntax
• Filter: ipv6 to display only IPv6 traffic
• Can be changed anytime during or after capture
• More flexible and powerful

For most IPv6 analysis tasks, it's recommended to capture all traffic and use display filters to focus on specific protocols.

Essential IPv6 Display Filters

Basic IPv6 Filtering

View all IPv6 traffic:

ipv6

View all ICMPv6 traffic:

icmpv6

View IPv6 TCP traffic:

ipv6 and tcp

View IPv6 UDP traffic:

ipv6 and udp

Exclude IPv6 from view (show only IPv4):

!ipv6

Advanced IPv6 Filtering

Filter by IPv6 address:

ipv6.addr == 2001:db8::1

Filter by source or destination:

ipv6.src == 2001:db8::1
ipv6.dst == 2001:db8::2

Filter by IPv6 address range:

ipv6.addr == 2001:db8::/32

Filter for packets with extension headers:

ipv6.nxt != 6 and ipv6.nxt != 17 and ipv6.nxt != 58

This filters for packets where the "Next Header" field doesn't indicate TCP (6), UDP (17), or ICMPv6 (58), suggesting extension headers are present.

Analyzing IPv6 Headers

Basic IPv6 Header Structure

When you expand the "Internet Protocol Version 6" section in Wireshark's packet details pane, you'll see:

1. Version: Always 6 for IPv6
2. Traffic Class: Similar to IPv4 ToS/DSCP for QoS
3. Flow Label: Used for flow identification and QoS
4. Payload Length: Length of the payload (not including the header itself)
5. Next Header: Indicates what follows the IPv6 header (protocol or extension header)
6. Hop Limit: Similar to IPv4 TTL
7. Source Address: 128-bit source IPv6 address
8. Destination Address: 128-bit destination IPv6 address

Key Analysis Points

Next Header Field: This field is critical for understanding packet structure. Common values include:

• 6 = TCP
• 17 = UDP
• 58 = ICMPv6
• 0 = Hop-by-Hop Options
• 43 = Routing Header
• 44 = Fragment Header
• 60 = Destination Options

Hop Limit Analysis: Track packet paths by observing hop limit decrements. A hop limit of 1 indicates the packet can traverse only one more router before being dropped.

Neighbor Discovery Protocol (NDP) Analysis

NDP is fundamental to IPv6 operation, replacing ARP and providing additional functionality. Understanding NDP in Wireshark is essential for IPv6 troubleshooting.

NDP Message Types

Router Solicitation (Type 133):

icmpv6.type == 133

Sent by hosts to discover routers on the local link. Look for these when a host first connects to the network.

Router Advertisement (Type 134):

icmpv6.type == 134

Sent by routers to advertise their presence, prefixes, and network configuration. Contains crucial information like prefix length, default gateway, and RDNSS (DNS) options.

Neighbor Solicitation (Type 135):

icmpv6.type == 135

Similar to ARP requests in IPv4. Used for address resolution and duplicate address detection (DAD).

Neighbor Advertisement (Type 136):

icmpv6.type == 136

Response to Neighbor Solicitation messages, providing link-layer addresses.

Redirect (Type 137):

icmpv6.type == 137

Sent by routers to inform hosts of better first-hop routers for specific destinations.

Analyzing NDP Traffic

Key observations when analyzing NDP:

1. Multicast Addresses: NDP uses specific multicast addresses. Neighbor Solicitations typically use solicited-node multicast addresses (ff02::1:ff00:0/104) as destinations. In Wireshark, you'll see Ethernet destination addresses starting with 33:33 (IPv6 multicast MAC prefix).

2. DAD Process: When a host configures an IPv6 address, it sends a Neighbor Solicitation with source address :: (all zeros) to check if the address is already in use. If no Neighbor Advertisement returns, the address is considered unique.

3. Router Discovery: Hosts send Router Solicitations to ff02::2 (all-routers multicast) on startup. Routers respond with Router Advertisements to ff02::1 (all-nodes multicast) containing network configuration.

4. RDNSS Options: Modern IPv6 networks include Recursive DNS Server (RDNSS) information in Router Advertisements. Filter with:

icmpv6.opt.rdnss

Common NDP Issues to Identify

• Missing Router Advertisements: If hosts can't get IPv6 addresses, check if Router Advertisements are being received
• DAD Failures: Multiple devices claiming the same IPv6 address will show duplicate Neighbor Advertisements
• Unreachable Neighbors: Repeated Neighbor Solicitations without corresponding advertisements indicate connectivity problems

IPv6 Extension Headers

Extension headers provide IPv6's extensibility and handle optional processing. Most typical IPv6 packets don't include extension headers, but understanding them is crucial for security analysis and advanced troubleshooting.

Common Extension Headers

1. Hop-by-Hop Options (0): Must be examined by every node along the path
2. Routing Header (43): Specifies intermediate nodes to visit
3. Fragment Header (44): Handles packet fragmentation
4. Destination Options (60): Options processed only by the destination
5. Authentication Header (51): IPsec authentication
6. Encapsulating Security Payload (50): IPsec encryption

Analyzing Extension Headers in Wireshark

When an extension header is present, it appears as an expandable section below the IPv6 header in the packet details pane. To analyze:

1. Expand the IPv6 header section to view the "Next Header" field value
2. Expand the extension header section that appears below to view its contents
3. Follow the chain: Extension headers can be chained; each has its own "Next Header" field pointing to what follows

Display Filter for Routing Headers:

ipv6.routing

Display Filter for Fragment Headers:

ipv6.fragment

Security Considerations

Be aware that some systems drop IPv6 packets with excessive extension headers (typically more than 15 of any type). Unusual extension header usage may indicate:

• Security testing or attacks
• Misconfigured network equipment
• Legitimate but rare IPv6 features in use

Common IPv6 Traffic Patterns

Understanding Normal IPv6 Traffic

Link-Local Communication:

ipv6.addr == fe80::/10

Link-local addresses (fe80::/10) are used for local network communication, especially NDP messages. Heavy link-local traffic is normal and indicates proper IPv6 operation.

Multicast Traffic:

ipv6.dst == ff00::/8

IPv6 relies heavily on multicast instead of broadcast. Common multicast addresses:

• ff02::1 - All nodes on link
• ff02::2 - All routers on link
• ff02::1:ffxx:xxxx - Solicited-node multicast

ICMPv6 Echo (Ping):

icmpv6.type == 128 or icmpv6.type == 129

Type 128 = Echo Request, Type 129 = Echo Reply. Useful for basic connectivity testing.

DHCPv6 Traffic

Filter for DHCPv6:

dhcpv6

DHCPv6 uses UDP ports 546 (client) and 547 (server). Watch for:

• Solicit messages (clients requesting configuration)
• Advertise messages (servers offering configuration)
• Request messages (clients accepting configuration)
• Reply messages (servers confirming configuration)

Troubleshooting with Wireshark

Systematic IPv6 Troubleshooting Approach

1. Verify Basic Connectivity:

   • Check for Router Advertisements: icmpv6.type == 134
   • Verify address configuration: Look for successful DAD (Neighbor Solicitations with :: source)
   • Test ICMP echo: icmpv6.type == 128 or icmpv6.type == 129

2. Analyze Routing Issues:

   • Check ICMPv6 error messages: icmpv6.type < 128
   • Look for Destination Unreachable (Type 1)
   • Check Hop Limit decrements to identify routing loops

3. Investigate Performance Problems:

   • Use Wireshark's Statistics > IPv6 Statistics to get traffic overview
   • Analyze latency patterns in TCP streams
   • Look for fragmentation issues: ipv6.fragment

4. DNS Resolution Checking:

   dns and ipv6
   

   Verify DNS queries use IPv6 transport and return AAAA records for IPv6-enabled services.

Using Statistics and Tools

IPv6 Statistics Menu:

• Navigate to Statistics > IPv6 Statistics in Wireshark
• View packet counts, destination addresses, and traffic patterns
• Useful for identifying the most active IPv6 hosts

Expert Info:

• View > Expert Information shows warnings and errors
• Helps identify malformed packets, retransmissions, and other issues

Flow Graphs:

• Statistics > Flow Graph visualizes packet sequences
• Excellent for understanding ICMPv6 exchanges and TCP handshakes

Best Practices for IPv6 Packet Captures

Capture Strategy

1. Capture at the right location: Place your capture as close as possible to where the problem occurs - on the client, server, or router interface.

2. Limit capture duration: IPv6 traffic can be verbose due to NDP and multicast. Capture for specific time windows when problems occur.

3. Use appropriate filters: If investigating a specific issue, use capture filters to reduce file size:

   ip6 and host 2001:db8::1
   

4. Include link-local traffic: Don't filter out fe80::/10 addresses, as they're essential for NDP analysis.

Analysis Best Practices

1. Start broad, narrow down: Begin with general filters like ipv6, then add specific criteria as you identify issues.

2. Check both directions: Use "Follow > TCP Stream" or "Follow > UDP Stream" to see both directions of communication.

3. Compare with working scenarios: Capture traffic from both working and non-working hosts to identify differences.

4. Document your findings: Use Wireshark's packet commenting feature (right-click > Packet Comment) to annotate interesting packets.

5. Export specific packets: Use File > Export Specified Packets to share relevant captures without exposing entire network traces.

Generating Test Traffic

To practice IPv6 analysis or generate test traffic for troubleshooting, visit test-ipv6.run in your browser. This website performs comprehensive IPv6 connectivity tests and generates various types of IPv6 traffic patterns:

• IPv6-only connections to AAAA-record endpoints
• Dual-stack connections testing protocol preference
• ICMPv6 and TCP connection attempts
• Latency measurements generating consistent traffic patterns

Capture traffic while running test-ipv6.run to see real-world examples of:

• DNS queries for AAAA records
• TCP connection establishment over IPv6
• HTTP/HTTPS traffic over IPv6
• Browser IPv6 stack behavior

Conclusion

Mastering Wireshark for IPv6 analysis requires understanding both the protocol fundamentals and the tool's powerful filtering and analysis capabilities. Start with basic packet captures and simple filters, then gradually explore more advanced features like extension header analysis and NDP troubleshooting.

Remember that IPv6 traffic patterns differ significantly from IPv4 - multicast replaces broadcast, NDP replaces ARP, and extension headers provide new functionality. Regular practice with real-world captures is the best way to develop proficiency.

Keep Wireshark updated to ensure the latest IPv6 protocol dissectors are available, and leverage the extensive Wireshark documentation and community resources when encountering unusual packet structures or behaviors.

With these skills, you'll be well-equipped to diagnose IPv6 connectivity issues, analyze network performance, and ensure your IPv6 deployment operates smoothly and securely.