Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

Troubleshooting ICMPv6 with Tcpdump

Thu, 23 Oct 2014 20:39:51 -0500 » Security, IPv6, CLI, Networking, Network Monitoring, System Administration, Troubleshooting

I’ve previously written about my OpenBSD PF firewall in front of my VM server at my colo. I had a firewall rule which used the following variable: icmp6_types="{ 2, 128 }". This wasn’t working properly on the LAN side, and I had to disable the ICMPv6 restrictions to get things back to working. I wanted to fix this permanently, the right way, by determining what needed to be allowed and what could be denied without breaking things.

Tcpdump To The Rescue

I started to tcpdump on the internal interface, to establish exactly which ICMPv6 types were needed for regular operation. I was using tcpdump -i vlanXX ip6, which was WAY too verbose. I eventually found this really helpful blog post (now dead) web.archive.org link of the blog which suggested using the following to troubleshoot NDP issues.

tcpdump -i eth0 'ip6 && icmp6 && (ip6[40] == 133 || ip6[40] == 134 || ip6[40] == 135 || ip6[40] == 136)'

Looking at the table of Types of ICMPv6 Messages on Wikipedia, these numbers correspond to the following strings:

ICMPv6 Value Meaning / Error Message
133 Router Solicitation (NDP)
134 Router Advertisement (NDP)
135 Neighbour Solicitation (NDP)
136 Neighbour Advertisement (NDP)
137 Redirect Message (NDP)
© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.