Theodore Baschak

Routing Guru. IPv6 Advocate. Operator of Hextet Systems (AS395089).

Troubleshooting ICMPv6 with Tcpdump

Thu, 23 Oct 2014 20:39:51 -0500 » Security, IPv6, CLI, Networking, Network Monitoring, System Administration, Troubleshooting » Estimated read time: 1 min

I’ve previously written about my OpenBSD PF firewall in front of my VM server at my colo. I had a firewall rule which used the following variable: icmp6_types="{ 2, 128 }". This wasn’t working properly on the LAN side, and I had to disable the ICMPv6 restrictions to get things back to working. I wanted to fix this permanently, the right way, by determining what needed to be allowed and what could be denied without breaking things.

Tcpdump To The Rescue

I started to tcpdump on the internal interface, to establish exactly which ICMPv6 types were needed for regular operation. I was using tcpdump -i vlanXX ip6, which was WAY too verbose. I eventually found this really helpful blog post (now dead) web.archive.org link of the blog which suggested using the following to troubleshoot NDP issues.

tcpdump -i eth0 'ip6 && icmp6 && (ip6[40] == 133 || ip6[40] == 134 || ip6[40] == 135 || ip6[40] == 136)'

Looking at the table of Types of ICMPv6 Messages on Wikipedia, these numbers correspond to the following strings:

ICMPv6 Value Meaning / Error Message
133 Router Solicitation (NDP)
134 Router Advertisement (NDP)
135 Neighbour Solicitation (NDP)
136 Neighbour Advertisement (NDP)
137 Redirect Message (NDP)