Difference between revisions of "IPv6-ready test/debug program"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
Line 27: | Line 27: | ||
* ping6 doesn't execute properly, generally because of missing root permissions -> chmod u+s /usr/sbin/ping6 | * ping6 doesn't execute properly, generally because of missing root permissions -> chmod u+s /usr/sbin/ping6 | ||
− | + | ||
+ | ==Menggunakan interface untuk IPv6 ping== | ||
Using link-local addresses for an IPv6 ping, the kernel does not know through which (physically or virtual) device it must send the packet - each device has a link-local address. A try will result in following error message: | Using link-local addresses for an IPv6 ping, the kernel does not know through which (physically or virtual) device it must send the packet - each device has a link-local address. A try will result in following error message: |
Revision as of 11:10, 22 June 2013
Setelah kita menyiapkan system yang kita gunakan untuk IPv6, kita ingin menggunakan IPv6 untuk komunikasi di jaringan. Pertama-tama, sebaiknya kita belajar menganalisa paket IPv6 menggunakan program sniffer. Ini sangat di rekomendasikan untuk debugging / troubleshooting karena sangat menolong untuk melakukan diagnosa secara cepat.
IPv6 ping
Program ini biasanya termasuk dalam paket iputils. Ini dirancang untuk melakukan test tranport sederhana dengan mengirimkan paket ICMPv6 echo-request dan menunggu paket ICMPv6 echo-reply.
Penggunaan
# ping6 <hostdenganipv6address> # ping6 <ipv6address> # ping6 [-I <device>] <link-local-ipv6address>
Contoh
# ping6 -c 1 ::1 PING ::1(::1) 56 data bytes 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.033 ms --- ::1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms
Catatan: ping6 butuh akses raw ke soket dan oleh karenanya ijin sebagai root. Untuk pengguna non-root yang tidak dapat menggunakan ping6 ada dua (2) kemungkinan masalah:
- ping6 is not in users path (probably, because ping6 is generally stored in /usr/sbin -> add path (not really recommended)
- ping6 doesn't execute properly, generally because of missing root permissions -> chmod u+s /usr/sbin/ping6
Menggunakan interface untuk IPv6 ping
Using link-local addresses for an IPv6 ping, the kernel does not know through which (physically or virtual) device it must send the packet - each device has a link-local address. A try will result in following error message:
ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:03:0d:e3:db:76 inet6 addr: fe80::203:dff:fee3:db76/64 Scope:Link
coba lakukan
# ping6 fe80::203:dff:fee3:db76
connect: Invalid argument
Yang benar, kita harus memberitahukan interface yang digunakan seperti dibawah ini:
# ping6 -I eth0 -c 1 fe80::203:dff:fee3:db76
PING fe80::203:dff:fee3:db76(fe80::203:dff:fee3:db76) from fe80::203:dff:fee3:db76 eth0: 56 data bytes 64 bytes from fe80::203:dff:fee3:db76: icmp_seq=1 ttl=64 time=0.050 ms --- fe80::203:dff:fee3:db76 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.050/0.050/0.050/0.000 ms
Ping6 ke multicast address
Cara yang menarik untuk mendeteksi mesin IPv6 yang aktif adalah dengan ping6 ke link-local all-node multicast address:
# ping6 -I eth0 ff02::1
PING ff02::1(ff02::1) from fe80::203:dff:fee3:db76 eth0: 56 data bytes 64 bytes from fe80::203:dff:fee3:db76: icmp_seq=1 ttl=64 time=0.075 ms 64 bytes from fe80::62a4:4cff:fe75:a6a0: icmp_seq=1 ttl=64 time=0.368 ms (DUP!) 64 bytes from fe80::20d:feff:fe73:6172: icmp_seq=1 ttl=64 time=0.434 ms (DUP!) 64 bytes from fe80::225:9cff:fe49:e965: icmp_seq=1 ttl=64 time=0.470 ms (DUP!) 64 bytes from fe80::21e:8cff:fee2:2a16: icmp_seq=1 ttl=255 time=0.531 ms (DUP!) 64 bytes from fe80::c2c1:c0ff:fe89:66ad: icmp_seq=1 ttl=64 time=0.546 ms (DUP!) 64 bytes from fe80::290:a9ff:feb2:1a07: icmp_seq=1 ttl=64 time=2.04 ms (DUP!) 64 bytes from fe80::2eb:2dff:fea2:2ca1: icmp_seq=1 ttl=255 time=86.1 ms (DUP!) 64 bytes from fe80::d2df:c7ff:fe0e:bc22: icmp_seq=1 ttl=64 time=192 ms (DUP!) ... dst ...
Tidak seperti IPv4, dimana ping ke broadcast address dapat di disable, saat ini di IPv6 perilaku ini tidak bisa di disable kecuali menggunakan firewall IPv6 lokal.
IPv6 traceroute6
This program is normally included in package iputils. It's a program similar to IPv4 traceroute. Below you will see an example:
# traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2404:6800:4003:801::1012) from 2001:470:36:ab6:c478:3e1:d571:bb6b, 30 hops max, 24 byte packets 1 2001:470:36:ab6::1 (2001:470:36:ab6::1) 1.16 ms 0.455 ms 0.336 ms 2 onnowpurbo-1.tunnel.tserv25.sin1.ipv6.he.net (2001:470:35:ab6::1) 44.588 ms 44.66 ms 55.766 ms 3 gige-g2-13.core1.sin1.he.net (2001:470:0:17c::1) 50.449 ms 61.66 ms 56.79 ms 4 15169.sgw.equinix.com (2001:de8:4::1:5169:1) 62.927 ms 33.974 ms 50.755 ms 5 2001:4860::1:0:337f (2001:4860::1:0:337f) 43.884 ms 44.142 ms 50.293 ms 6 2001:4860:0:1::18f (2001:4860:0:1::18f) 61.467 ms 50.525 ms 51.161 ms 7 2404:6800:8000:4:92e6:baff:fe53:b0de (2404:6800:8000:4:92e6:baff:fe53:b0de) 49.276 ms 46.334 ms 55.087 ms
Note: unlike some modern versions of IPv4 traceroute, which can use ICMPv4 echo-request packets as well as UDP packets (default), current IPv6-traceroute is only able to send UDP packets. As you perhaps already know, ICMP echo-request packets are more accepted by firewalls or ACLs on routers inbetween than UDP packets.
IPv6 tracepath6
This program is normally included in package iputils. It's a program like traceroute6 and traces the path to a given destination discovering the MTU along this path. Below you will see an example:
# tracepath6 ipv6.google.com 1?: [LOCALHOST] 0.070ms pmtu 1480 1: ??? 1.517ms 1: ??? 1.487ms 2: onnowpurbo-1.tunnel.tserv25.sin1.ipv6.he.net 30.845ms 3: gige-g2-13.core1.sin1.he.net 68.818ms 4: no reply 5: no reply
IPv6 tcpdump
On Linux, tcpdump is the major tool for packet capturing. Below you find some examples. IPv6 support is normally built-in in current releases of version 3.6.
tcpdump uses expressions for filtering packets to minimize the noise:
icmp6: filters native ICMPv6 traffic
ip6: filters native IPv6 traffic (including ICMPv6)
proto ipv6: filters tunneled IPv6-in-IPv4 traffic
not port ssh: to suppress displaying SSH packets for running tcpdump in a remote SSH session
Also some command line options are very useful to catch and print more information in a packet, mostly interesting for digging into ICMPv6 packets:
“-s 512”: increase the snap length during capturing of a packet to 512 bytes
“-vv”: really verbose output
“-n”: don't resolve addresses to names, useful if reverse DNS resolving isn't working proper
4.3.4.1. IPv6 ping to 2001:0db8:100:f101::1 native over a local link
# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6 tcpdump: listening on eth0 2001:0db8:100:f101:2e0:18ff:fe90:9205 > 2001:0db8:100:f101::1: icmp6: echo ¬ request (len 64, hlim 64) 2001:0db8:100:f101::1 > 2001:0db8:100:f101:2e0:18ff:fe90:9205: icmp6: echo ¬ reply (len 64, hlim 64)
4.3.4.2. IPv6 ping to 2001:0db8:100::1 routed through an IPv6-in-IPv4-tunnel
1.2.3.4 and 5.6.7.8 are tunnel endpoints (all addresses are examples)
# tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6 tcpdump: listening on ppp0 1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 2001:0db8:100::1: icmp6: echo request ¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124) 5.6.7.8 > 1.2.3.4: 2001:0db8:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len ¬ 64, hlim 61) (ttl 23, id 29887, len 124) 1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 2001:0db8:100::1: icmp6: echo request ¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124) 5.6.7.8 > 1.2.3.4: 2001:0db8:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len ¬ 64, hlim 61) (ttl 23, id 29919, len 124)