Difference between revisions of "IPv6-ready test/debug program"

From OnnoWiki
Jump to navigation Jump to search
Line 14: Line 14:
  
 
  # ping6 -c 1 ::1  
 
  # ping6 -c 1 ::1  
  PING ::1(::1) from ::1 : 56 data bytes  
+
  PING ::1(::1) 56 data bytes
  64 bytes from ::1: icmp_seq=0 hops=64 time=292 usec
+
  64 bytes from ::1: icmp_seq=1 ttl=64 time=0.033 ms
 +
 +
--- ::1 ping statistics ---
 +
1 packets transmitted, 1 received, 0% packet loss, time 0ms
 +
rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms
  
--- ::1 ping statistics ---
 
1 packets transmitted, 1 packets received, 0% packet loss
 
round-trip min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
 
  
 
Hint: ping6 needs raw access to socket and therefore root permissions. So if non-root users cannot use ping6 then there are two possible problems:
 
Hint: ping6 needs raw access to socket and therefore root permissions. So if non-root users cannot use ping6 then there are two possible problems:
  
    ping6 is not in users path (probably, because ping6 is generally stored in /usr/sbin -> add path (not really recommended)
+
* ping6 is not in users path (probably, because ping6 is generally stored in /usr/sbin -> add path (not really recommended)
 
+
* ping6 doesn't execute properly, generally because of missing root permissions -> chmod u+s /usr/sbin/ping6
    ping6 doesn't execute properly, generally because of missing root permissions -> chmod u+s /usr/sbin/ping6
 
  
 
4.3.1.1. Specifying interface for IPv6 ping
 
4.3.1.1. Specifying interface for IPv6 ping
Line 31: Line 31:
 
Using link-local addresses for an IPv6 ping, the kernel does not know through which (physically or virtual) device it must send the packet - each device has a link-local address. A try will result in following error message:
 
Using link-local addresses for an IPv6 ping, the kernel does not know through which (physically or virtual) device it must send the packet - each device has a link-local address. A try will result in following error message:
  
  # ping6 fe80::212:34ff:fe12:3456
+
ifconfig eth0
 +
 
 +
eth0      Link encap:Ethernet  HWaddr 00:03:0d:e3:db:76 
 +
          inet6 addr: fe80::203:dff:fee3:db76/64 Scope:Link
 +
 
 +
coba lakukan
 +
 
 +
  # ping6 fe80::203:dff:fee3:db76
 +
 
 
  connect: Invalid argument
 
  connect: Invalid argument
  
In this case you have to specify the interface additionally like shown here:
+
Yang benar, kita harus memberitahukan interface yang digunakan seperti dibawah ini:
  
  # ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205
+
  # ping6 -I eth0 -c 1 fe80::203:dff:fee3:db76
  PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from
+
 
¬ fe80::212:34ff:fe12:3478 eth0: 56 data bytes  
+
  PING fe80::203:dff:fee3:db76(fe80::203:dff:fee3:db76) from fe80::203:dff:fee3:db76 eth0: 56 data bytes
  64 bytes from fe80::212:23ff:fe12:3456: icmp_seq=0 hops=64 time=445 usec
+
  64 bytes from fe80::203:dff:fee3:db76: icmp_seq=1 ttl=64 time=0.050 ms
 
   
 
   
  --- fe80::2e0:18ff:fe90:9205 ping statistics ---  
+
  --- fe80::203:dff:fee3:db76 ping statistics ---
  1 packets transmitted, 1 packets received, 0% packet loss round-trip
+
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  ¬ min/avg/max/mdev = 0.445/0.445/0.445/0.000 ms
+
  rtt min/avg/max/mdev = 0.050/0.050/0.050/0.000 ms
 +
 
 +
 
  
 
4.3.1.2. Ping6 to multicast addresses
 
4.3.1.2. Ping6 to multicast addresses
Line 50: Line 60:
  
 
  # ping6 -I eth0 ff02::1
 
  # ping6 -I eth0 ff02::1
  PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 eth0: 56 data bytes
+
  PING ff02::1(ff02::1) from fe80::203:dff:fee3:db76 eth0: 56 data bytes
  64 bytes from ::1: icmp_seq=1 ttl=64 time=0.104 ms
+
  64 bytes from fe80::203:dff:fee3:db76: icmp_seq=1 ttl=64 time=0.075 ms
  64 bytes from fe80::212:34ff:fe12:3450: icmp_seq=1 ttl=64 time=0.549 ms (DUP!)  
+
64 bytes from fe80::62a4:4cff:fe75:a6a0: icmp_seq=1 ttl=64 time=0.368 ms (DUP!)
 +
64 bytes from fe80::20d:feff:fe73:6172: icmp_seq=1 ttl=64 time=0.434 ms (DUP!)
 +
64 bytes from fe80::225:9cff:fe49:e965: icmp_seq=1 ttl=64 time=0.470 ms (DUP!)
 +
64 bytes from fe80::21e:8cff:fee2:2a16: icmp_seq=1 ttl=255 time=0.531 ms (DUP!)
 +
  64 bytes from fe80::c2c1:c0ff:fe89:66ad: icmp_seq=1 ttl=64 time=0.546 ms (DUP!)
 +
64 bytes from fe80::290:a9ff:feb2:1a07: icmp_seq=1 ttl=64 time=2.04 ms (DUP!)
 +
64 bytes from fe80::2eb:2dff:fea2:2ca1: icmp_seq=1 ttl=255 time=86.1 ms (DUP!)
 +
64 bytes from fe80::d2df:c7ff:fe0e:bc22: icmp_seq=1 ttl=64 time=192 ms (DUP!)
  
 
Unlike in IPv4, where replies to a ping on the broadcast address can be disabled, in IPv6 currently this behavior cannot be disable except by local IPv6 firewalling.
 
Unlike in IPv4, where replies to a ping on the broadcast address can be disabled, in IPv6 currently this behavior cannot be disable except by local IPv6 firewalling.
Line 60: Line 77:
 
This program is normally included in package iputils. It's a program similar to IPv4 traceroute. Below you will see an example:
 
This program is normally included in package iputils. It's a program similar to IPv4 traceroute. Below you will see an example:
  
  # traceroute6 www.6bone.net
+
  # traceroute6 ipv6.google.com
  traceroute to 6bone.net (3ffe:b00:c18:1::10) from 2001:0db8:0000:f101::2, 30
+
 
¬ hops max, 16 byte packets  
+
 
   1 localipv6gateway (2001:0db8:0000:f101::1) 1.354 ms 1.566 ms 0.407 ms  
+
  traceroute to ipv6.l.google.com (2404:6800:4003:801::1012) from 2001:470:36:ab6:c478:3e1:d571:bb6b, 30 hops max, 24 byte packets
   2 swi6T1-T0.ipv6.switch.ch (3ffe:2000:0:400::1) 90.431 ms 91.956 ms 92.377 ms  
+
   1 2001:470:36:ab6::1 (2001:470:36:ab6::1) 1.16 ms 0.455 ms 0.336 ms
   3 3ffe:2000:0:1::132 (3ffe:2000:0:1::132) 118.945 ms 107.982 ms 114.557 ms  
+
   2 onnowpurbo-1.tunnel.tserv25.sin1.ipv6.he.net (2001:470:35:ab6::1) 44.588 ms 44.66 ms 55.766 ms
   4 3ffe:c00:8023:2b::2 (3ffe:c00:8023:2b::2) 968.468 ms 993.392 ms 973.441 ms  
+
   3 gige-g2-13.core1.sin1.he.net (2001:470:0:17c::1)  50.449 ms  61.66 ms  56.79 ms
   5 3ffe:2e00:e:c::3 (3ffe:2e00:e:c::3) 507.784 ms 505.549 ms 508.928 ms  
+
  4  15169.sgw.equinix.com (2001:de8:4::1:5169:1) 62.927 ms 33.974 ms 50.755 ms
   6 www.6bone.net (3ffe:b00:c18:1::10) 1265.85 ms * 1304.74 ms
+
   5  2001:4860::1:0:337f (2001:4860::1:0:337f) 43.884 ms 44.142 ms 50.293 ms
 +
   6  2001:4860:0:1::18f (2001:4860:0:1::18f) 61.467 ms 50.525 ms 51.161 ms
 +
   7  2404:6800:8000:4:92e6:baff:fe53:b0de (2404:6800:8000:4:92e6:baff:fe53:b0de) 49.276 ms 46.334 ms  55.087 ms
  
 
Note: unlike some modern versions of IPv4 traceroute, which can use ICMPv4 echo-request packets as well as UDP packets (default), current IPv6-traceroute is only able to send UDP packets. As you perhaps already know, ICMP echo-request packets are more accepted by firewalls or ACLs on routers inbetween than UDP packets.
 
Note: unlike some modern versions of IPv4 traceroute, which can use ICMPv4 echo-request packets as well as UDP packets (default), current IPv6-traceroute is only able to send UDP packets. As you perhaps already know, ICMP echo-request packets are more accepted by firewalls or ACLs on routers inbetween than UDP packets.
Line 76: Line 95:
 
This program is normally included in package iputils. It's a program like traceroute6 and traces the path to a given destination discovering the MTU along this path. Below you will see an example:
 
This program is normally included in package iputils. It's a program like traceroute6 and traces the path to a given destination discovering the MTU along this path. Below you will see an example:
  
  # tracepath6 www.6bone.net
+
  # tracepath6 ipv6.google.com
   1?: [LOCALHOST] pmtu 1480  
+
   1?: [LOCALHOST]                       0.070ms pmtu 1480
   1: 3ffe:401::2c0:33ff:fe02:14 150.705ms
+
   1: ???                                                  1.517ms
   2: 3ffe:b00:c18::5 267.864ms
+
   1: ???                                                  1.487ms
   3: 3ffe:b00:c18::5 asymm 2 266.145ms pmtu 1280
+
   2: onnowpurbo-1.tunnel.tserv25.sin1.ipv6.he.net        30.845ms
   3: 3ffe:3900:5::2 asymm 4 346.632ms
+
   3: gige-g2-13.core1.sin1.he.net                        68.818ms
   4: 3ffe:28ff:ffff:4::3 asymm 5 365.965ms
+
   4: no reply
   5: 3ffe:1cff:0:ee::2 asymm 4 534.704ms
+
   5:  no reply
  6: 3ffe:3800::1:1 asymm 4 578.126ms !N
 
  Resume: pmtu 1280
 
  
 
4.3.4. IPv6 tcpdump
 
4.3.4. IPv6 tcpdump

Revision as of 10:44, 22 June 2013

After you have prepared your system for IPv6, you now want to use IPv6 for network communications. First you should learn how to examine IPv6 packets with a sniffer program. This is strongly recommended because for debugging/troubleshooting issues this can aide in providing a diagnosis very quickly.

IPv6 ping

This program is normally included in package iputils. It is designed for simple transport tests sending ICMPv6 echo-request packets and wait for ICMPv6 echo-reply packets.

Usage

# ping6 <hostwithipv6address>
# ping6 <ipv6address>
# ping6 [-I <device>] <link-local-ipv6address>

Example

# ping6 -c 1 ::1 
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.033 ms

--- ::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms


Hint: ping6 needs raw access to socket and therefore root permissions. So if non-root users cannot use ping6 then there are two possible problems:

  • ping6 is not in users path (probably, because ping6 is generally stored in /usr/sbin -> add path (not really recommended)
  • ping6 doesn't execute properly, generally because of missing root permissions -> chmod u+s /usr/sbin/ping6

4.3.1.1. Specifying interface for IPv6 ping

Using link-local addresses for an IPv6 ping, the kernel does not know through which (physically or virtual) device it must send the packet - each device has a link-local address. A try will result in following error message:

ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:03:0d:e3:db:76  
          inet6 addr: fe80::203:dff:fee3:db76/64 Scope:Link

coba lakukan

# ping6 fe80::203:dff:fee3:db76
connect: Invalid argument

Yang benar, kita harus memberitahukan interface yang digunakan seperti dibawah ini:

# ping6 -I eth0 -c 1 fe80::203:dff:fee3:db76
PING fe80::203:dff:fee3:db76(fe80::203:dff:fee3:db76) from fe80::203:dff:fee3:db76 eth0: 56 data bytes
64 bytes from fe80::203:dff:fee3:db76: icmp_seq=1 ttl=64 time=0.050 ms

--- fe80::203:dff:fee3:db76 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.050/0.050/0.050/0.000 ms


4.3.1.2. Ping6 to multicast addresses

An interesting mechanism to detect IPv6-active hosts on a link is to ping6 to the link-local all-node multicast address:

# ping6 -I eth0 ff02::1
PING ff02::1(ff02::1) from fe80::203:dff:fee3:db76 eth0: 56 data bytes
64 bytes from fe80::203:dff:fee3:db76: icmp_seq=1 ttl=64 time=0.075 ms
64 bytes from fe80::62a4:4cff:fe75:a6a0: icmp_seq=1 ttl=64 time=0.368 ms (DUP!)
64 bytes from fe80::20d:feff:fe73:6172: icmp_seq=1 ttl=64 time=0.434 ms (DUP!)
64 bytes from fe80::225:9cff:fe49:e965: icmp_seq=1 ttl=64 time=0.470 ms (DUP!)
64 bytes from fe80::21e:8cff:fee2:2a16: icmp_seq=1 ttl=255 time=0.531 ms (DUP!)
64 bytes from fe80::c2c1:c0ff:fe89:66ad: icmp_seq=1 ttl=64 time=0.546 ms (DUP!)
64 bytes from fe80::290:a9ff:feb2:1a07: icmp_seq=1 ttl=64 time=2.04 ms (DUP!)
64 bytes from fe80::2eb:2dff:fea2:2ca1: icmp_seq=1 ttl=255 time=86.1 ms (DUP!)
64 bytes from fe80::d2df:c7ff:fe0e:bc22: icmp_seq=1 ttl=64 time=192 ms (DUP!)

Unlike in IPv4, where replies to a ping on the broadcast address can be disabled, in IPv6 currently this behavior cannot be disable except by local IPv6 firewalling.

4.3.2. IPv6 traceroute6

This program is normally included in package iputils. It's a program similar to IPv4 traceroute. Below you will see an example:

# traceroute6 ipv6.google.com


traceroute to ipv6.l.google.com (2404:6800:4003:801::1012) from 2001:470:36:ab6:c478:3e1:d571:bb6b, 30 hops max, 24 byte packets
 1  2001:470:36:ab6::1 (2001:470:36:ab6::1)  1.16 ms  0.455 ms  0.336 ms
 2  onnowpurbo-1.tunnel.tserv25.sin1.ipv6.he.net (2001:470:35:ab6::1)  44.588 ms  44.66 ms  55.766 ms
 3  gige-g2-13.core1.sin1.he.net (2001:470:0:17c::1)  50.449 ms  61.66 ms  56.79 ms
 4  15169.sgw.equinix.com (2001:de8:4::1:5169:1)  62.927 ms  33.974 ms  50.755 ms
 5  2001:4860::1:0:337f (2001:4860::1:0:337f)  43.884 ms  44.142 ms  50.293 ms
 6  2001:4860:0:1::18f (2001:4860:0:1::18f)  61.467 ms  50.525 ms  51.161 ms
 7  2404:6800:8000:4:92e6:baff:fe53:b0de (2404:6800:8000:4:92e6:baff:fe53:b0de)  49.276 ms  46.334 ms  55.087 ms

Note: unlike some modern versions of IPv4 traceroute, which can use ICMPv4 echo-request packets as well as UDP packets (default), current IPv6-traceroute is only able to send UDP packets. As you perhaps already know, ICMP echo-request packets are more accepted by firewalls or ACLs on routers inbetween than UDP packets.

4.3.3. IPv6 tracepath6

This program is normally included in package iputils. It's a program like traceroute6 and traces the path to a given destination discovering the MTU along this path. Below you will see an example:

# tracepath6 ipv6.google.com
 1?: [LOCALHOST]                        0.070ms pmtu 1480
 1:  ???                                                   1.517ms 
 1:  ???                                                   1.487ms 
 2:  onnowpurbo-1.tunnel.tserv25.sin1.ipv6.he.net         30.845ms 
 3:  gige-g2-13.core1.sin1.he.net                         68.818ms 
 4:  no reply
 5:  no reply

4.3.4. IPv6 tcpdump

On Linux, tcpdump is the major tool for packet capturing. Below you find some examples. IPv6 support is normally built-in in current releases of version 3.6.

tcpdump uses expressions for filtering packets to minimize the noise:

   icmp6: filters native ICMPv6 traffic
   ip6: filters native IPv6 traffic (including ICMPv6)
   proto ipv6: filters tunneled IPv6-in-IPv4 traffic
   not port ssh: to suppress displaying SSH packets for running tcpdump in a remote SSH session

Also some command line options are very useful to catch and print more information in a packet, mostly interesting for digging into ICMPv6 packets:

   “-s 512”: increase the snap length during capturing of a packet to 512 bytes
   “-vv”: really verbose output
   “-n”: don't resolve addresses to names, useful if reverse DNS resolving isn't working proper

4.3.4.1. IPv6 ping to 2001:0db8:100:f101::1 native over a local link

# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6 
tcpdump: listening on eth0 
2001:0db8:100:f101:2e0:18ff:fe90:9205 > 2001:0db8:100:f101::1: icmp6: echo
¬ request (len 64, hlim 64) 
2001:0db8:100:f101::1 > 2001:0db8:100:f101:2e0:18ff:fe90:9205: icmp6: echo
¬ reply (len 64, hlim 64)

4.3.4.2. IPv6 ping to 2001:0db8:100::1 routed through an IPv6-in-IPv4-tunnel

1.2.3.4 and 5.6.7.8 are tunnel endpoints (all addresses are examples)

# tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6 
tcpdump: listening on ppp0 
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 2001:0db8:100::1: icmp6: echo request
¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124) 
5.6.7.8 > 1.2.3.4: 2001:0db8:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
¬ 64, hlim 61) (ttl 23, id 29887, len 124) 
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 2001:0db8:100::1: icmp6: echo request
¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124) 
5.6.7.8 > 1.2.3.4: 2001:0db8:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
¬ 64, hlim 61) (ttl 23, id 29919, len 124)