Extension Headers tcpdump usage

Avoid using “proto” as filter. “proto” will only

0 1 2 3 check the IPv6 header’s “Next Header” field and
the NH field of a fragment header. Use
NH Length Options…
“protochain” instead.
0

Options Avoid the use of tcp[] / icmp6[] / udp[]

1
IPv6 Pocket Guide use ‘ip6’ instead of ‘ip’ and ‘icmp6’ instead of
Version January 2019 ‘icmp’ (ip and icmp are IPv4 only)
NH: Next Header following this Extension header.
Length: Length of this header in 8 byte units. src/networks for IPv6 addresses.
0 = 8 bytes POCKET REFERENCE GUIDE Acronyms
Options: depends on header type.
AH Authentication Header (RFC 2402)
Please submit comments and corrections to [email protected] ARP Address Resolution Protocol (RFC 826)
Extension Headers https://www.sans.org/security-resources/ipv6.pdf BGP Border Gateway Protocol (RFC 1771)
CWR Congestion Window Reduced (RFC 2481)
Dec. Hex Header DF Do not fragment flag (RFC 791)
0 0x00 Hop-By-Hop (HH) COURSES & GIAC CERTIFICATIONS DHCP Dynamic Host Configuration Protocol (RFC 2131)
The SANS Technology Institute develops leaders to DNS Domain Name System (RFC 1035)
43 0x2b Routing Header (RH) strengthen enterprise and global information ECN Explicit Congestion Notification (RFC 3168)
44 0x2c Fragmentation Header (FH) security. STI educates managers and engineers in ESP Encapsulating Security Payload (RFC 2406)
50 0x32 Encap. Security Payload (ESP) SEC503 FTP File Transfer Protocol (RFC 959)
information security practices and techniques,
51 0x33 Authentication Header (AH) Intrusion Detection In-Depth GRE Generic Route Encapsulation (RFC 2784)
attracts top scholar-practitioners as faculty, and HTTP Hypertext Transfer Protocol (RFC 1945)
58 0x3a ICMPv6 (ICMP6) engages both students and faculty in real-world ICMP Internet Control Message Protocol (RFC 792)
59 0x3b No Next Header applied research. SEC 401 IGMP Internet Group Management Protocol (RFC 2236)
60 0x3c Destination Options (DH) Learn more at https://www.sans.edu Security Essentials IMAP Internet Message Access Protocol (RFC 2060)
IP Internet Protocol (RFC 791)
ISAKMP Internet Sec. Assoc. & Key Mgmt Proto. (RFC 7296)
Note: TCP(6), UDP (17,0x11) and any other protocols SEC 573 L2TP Layer 2 Tunneling Protocol (RFC 2661)
may show up as LAST header only. Each extension Automating with Python MLD Multicast Listener Discover
header, but the destination header, may show up only NDP Neighbor Discovery Protocol
NH Next Header
once. The Hop-By-Hop header must be first. The order
SEC 560 OSPF Open Shortest Path First (RFC 1583)
of the other headers is only recommended. POP3 Post Office Protocol v3 (RFC 1460)
Network Penetration Testing
RFC Request for Comments
Options (HH, RH, DH) SMTP Simple Mail Transfer Protocol (RFC 821)
0 1 SEC 546 SSH Secure Shell (RFC 4253)
IPv6 Security Essentials SSL Secure Sockets Layer (RFC 6101)
Type Length Value… TCP Transmission Control Protocol (RFC793)
TLS Transport Layer Security (RFC 5246)
Length in bytes without type/length bytes. A collaborative network security community. FOR 572 TFTP Trivial File Transfer Protocol (RFC 1350)
Network Forensics TOS Type of Service (RFC 2474)
Padding may be needed to fill multiple of 8 bytes. Learn about current issues, correlate your logs UDP User Datagram Protocol (RFC 768)
Type 0: Pad 1 (Pad 1 byte) with others, free API and other resources to
Type 1: Pad n (pad multiple bytes) enhance your understanding of current threats. MGT512
https://isc.sans.edu Security Leadership Essentials

IPv6_PRG
ICMPv6 IPv6 Header Special Multicast Addresses Hop-by-Hop Header
Offset: Add column + row. e.g. Next Header=6 ff02::1 All Local Hosts
ip6[6] = “IPv6 header offset 6” or the next header field
0 1 2 3 ff02::2 All Routers Options:
0 1 2 3
0
Type Code Checksum ff02::16 MLDv2 capable 5 – Router Alerts
Ver Traffic Cl. Flow Label
0
6 Routers 1 – Multicast Listener Discovery
4 Addtl. information depending on type/code 2 – RSVP
Payload Length Next.Hdr HopLimit ff02::1:2 All DHCP
Type/Code: errors < 128; > 127 informational 4 194 – Jumbogram (> 64kByte Payload)
Routers/Servers
Checksum: IPv6 pseudo header Source IP Network Part 1st Half
8
ff02::1:3 All LLMNR Hosts
Type Code Name ff02::fb Multicast DNS Routing Header
0 Reserved Source IP Network Part 2nd Half /64
1 0 No route to destination
12
1 Admin prohibited Multicast Address Format: 0 1 2 3
Source IP Interface Part 1st Half
2 Beyond scope of source address 16 Byte 1 Byte 2 Byte 3-8 NH Length Type …data..
3 Address unreachable
4 Port unreachable Source IP Interface Part 2nd Half /128 FF Flags Scope Group ID
20
5 Source address failed ingress/egress policy Routing Type 0: (source routing)
6 Reject route to destination Target IP Network Part 1st Half Scopes:
7 Error in Source Routing Header 24
2 0 Packet to Big 1 – Interface local 0 1 2 3
3 0 Hop limit exceeded in transit Target IP Network Part 2nd Half /64 2 – Link Local 0 NH Length 0 Seg.
28
1 Fragment reassembly time exceeded
4 0 Erroneous header field encountered
4 – Admin Local Left
Target IP Interface Part 1st Half
1 Unrecognized next header type 32 5 – Site Local 4 Reserved
2 Unrecognized IPv6 Option Encountered
Target IP Interface Part 2nd Half /128
8 – Organization Local 8 Address 1 (1st half
3 1st Fragment has incomplete IPv6 hdr chain
36 E – Global 12 Address 1 (2nd half)
128 0 Echo Request
129 0 Echo Reply Solicited Multicast Address: additional addresses…
130 0 Multicast Listener Query IPv6 Addresses
131 0 Multicast Listener Report ff02:0:0:0:0:1:ffXX:XXXX. (XX:XXXX is last
2001 0db8 1234 5678 abcd abcd abcd abcd
132 0 Multicast Listener Done
Network Interface three bytes of IPv6 address) Fragment Header
133 0 Router Solicitation
134 0 Router Advertisement /16 /32 /48 /64 /80 /96 /112 /128
135 0 Neighbor Solicitation 2001:0db8:0000:1234:0000:0000:0000:0001 Abbreviating Addresses
136 0 Neighbor Advertisement abbreviated: 2001:db8:0:1234::1
137 0 Redirect 0 1 2 3
::1/128 loopback 2001:0db8:0000:abcd:0000:0000:0000:0001
::/128 unspecified 0 NH Reserved Offset Offset F
ICMPv6 includes MLD Protocol (replaces ::ffff:0:0/96 IPv4-mapped 4 Fragment ID
fe80::/10 link-local unicast 2001:db8:0:abcd:0:0:0:1
IGMP) and NDP Protocol (replaces ARP)
fc00::/7 uniq-local unicast (remove leading 0’s, replace “0000”
2001:db8::/32 documentation
Just like in IPv4, 13 bits are used for the
groups with :: once)
Type <128: Errors. Must route 2002::/16 6to4 offset (and need to be multiplied by 8).
128, 129: Echo Request/Reply may route 2001::/32 Teredo Out of the three flag bits, only one is used
Ff00::/8 multicast (More Fragments)
Type>130: Must not route
2000::/3 global routable