cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4652
Views
10
Helpful
3
Replies
Beginner

Track Down IPv6 Client

Hi All,

I think it's about time to buy an Implementing Cisco IPv6 book for me...  How in the world do I track down an IPv6 client in my network.  I didn't even realize that IPv6 was possible in my network without me turning on some IPv6 routing functionality which I havn't done yet unless it's on by default in a SUP720 within a 6509.  My MARS box keeps alerting me however to an IPv6 host that is up to something on the network and I have no idea how to track it down, the usual sh arp, etc don't seem to provide any details, and I thought maybe the sh ipv6 neighbors command might show some link locals (no dice), BGP dosn't show any random connected IPv6 addresses, etc:

evIdsAlert:  eventId="1286219265976162966"  severity="high"  vendor="Cisco" 
    originator: 
        hostId:  ********
        appName:  sensorApp 
        appInstanceId:  644 
    time:  Oct 5 2010 15:51:26 EDT (1286308286391787000)  offset="-240"  timeZone="UTC" 
    signature:  created="20050603"  type="vulnerability"  version="S433"  description="UPnP LOCATION Overflow"  id="4058" 
        subsigId:  2 
        sigDetails:  LOCATION \x3c100+ Chars> 
        marsCategory:  Penetrate/BufferOverflow/Misc 
    interfaceGroup:  vs0 
    vlan:  15 
    participants: 
        attacker: 
            addr:  0.0.0.0  locality="OUT" 
            port:  1900 
            ipv6Address:  fe80::f515:3a70:a0a2:a1fe  locality="OUT" 
        target: 
            addr:  0.0.0.0  locality="OUT" 
            port:  1900 
            ipv6Address:  ff02::c  locality="OUT" 
            os:  idSource="unknown"  relevance="unknown"  type="unknown" 
    riskRatingValue:  90  targetValueRating="medium" 
    threatRatingValue:  90 
    interface:  ge0_7 

I googled and searched these forums for the same question that I'm sure other's have and didn't find any good results.  Is there any functionality I need to turn on to track these hosts down?  I'm not even running a box that has IPv6 support enabled so I couldn't do any traces or pings...  Oy vey!

3 REPLIES 3
Highlighted
Beginner

Re: Track Down IPv6 Client

Well if you don't have IPv6 enabled on your switch you can still probably figure out what host that is because of the type of address it is. That address is a link-local ip6 address so it will only be on the same broadcast domain where that sensor is, unless it's an rspan port or such. Anyways, since it's a link-local address it most likely is using the last 64 bits of the address from it's 48bit mac address.

This link can show you how to find out how to convert a 48bit mac address to a link local address: http://msdn.microsoft.com/en-us/library/ms737595(VS.85).aspx

Once you know what the mac address is, it should be fairly simple process of finding what switchport it came from.

Highlighted
Cisco Employee

Re: Track Down IPv6 Client

Well, the good news is that this device, whatever is it, should be on the same layer 2 network ("link") as the sensor.

Any modern MacOS or Windows Vista PC speak IPV6 out of the box and at the link layer (but doesn't get a Global Address unless you set up an IPV6 router.)

Running "Network Map" on a Windows 7 or Windows Vista machine may be illustrative.

Ping the address from a machine on that segment, and then

netsh interface ipv6 show neighbors

in a command window

Highlighted
Beginner

Re: Track Down IPv6 Client

I like this one...  I did track down the client using the other method, but, this is a nice feature also...  Nice mapping of the IPv6 to the IPv4 addressing.

CreatePlease to create content
Content for Community-Ad