10-06-2010 06:25 AM - edited 03-06-2019 01:21 PM
Hi All,
I think it's about time to buy an Implementing Cisco IPv6 book for me... How in the world do I track down an IPv6 client in my network. I didn't even realize that IPv6 was possible in my network without me turning on some IPv6 routing functionality which I havn't done yet unless it's on by default in a SUP720 within a 6509. My MARS box keeps alerting me however to an IPv6 host that is up to something on the network and I have no idea how to track it down, the usual sh arp, etc don't seem to provide any details, and I thought maybe the sh ipv6 neighbors command might show some link locals (no dice), BGP dosn't show any random connected IPv6 addresses, etc:
evIdsAlert: eventId="1286219265976162966" severity="high" vendor="Cisco"
originator:
hostId: ********
appName: sensorApp
appInstanceId: 644
time: Oct 5 2010 15:51:26 EDT (1286308286391787000) offset="-240" timeZone="UTC"
signature: created="20050603" type="vulnerability" version="S433" description="UPnP LOCATION Overflow" id="4058"
subsigId: 2
sigDetails: LOCATION \x3c100+ Chars>
marsCategory: Penetrate/BufferOverflow/Misc
interfaceGroup: vs0
vlan: 15
participants:
attacker:
addr: 0.0.0.0 locality="OUT"
port: 1900
ipv6Address: fe80::f515:3a70:a0a2:a1fe locality="OUT"
target:
addr: 0.0.0.0 locality="OUT"
port: 1900
ipv6Address: ff02::c locality="OUT"
os: idSource="unknown" relevance="unknown" type="unknown"
riskRatingValue: 90 targetValueRating="medium"
threatRatingValue: 90
interface: ge0_7
I googled and searched these forums for the same question that I'm sure other's have and didn't find any good results. Is there any functionality I need to turn on to track these hosts down? I'm not even running a box that has IPv6 support enabled so I couldn't do any traces or pings... Oy vey!
10-06-2010 10:54 AM
Well if you don't have IPv6 enabled on your switch you can still probably figure out what host that is because of the type of address it is. That address is a link-local ip6 address so it will only be on the same broadcast domain where that sensor is, unless it's an rspan port or such. Anyways, since it's a link-local address it most likely is using the last 64 bits of the address from it's 48bit mac address.
This link can show you how to find out how to convert a 48bit mac address to a link local address: http://msdn.microsoft.com/en-us/library/ms737595(VS.85).aspx
Once you know what the mac address is, it should be fairly simple process of finding what switchport it came from.
11-02-2010 11:36 AM
Well, the good news is that this device, whatever is it, should be on the same layer 2 network ("link") as the sensor.
Any modern MacOS or Windows Vista PC speak IPV6 out of the box and at the link layer (but doesn't get a Global Address unless you set up an IPV6 router.)
Running "Network Map" on a Windows 7 or Windows Vista machine may be illustrative.
Ping the address from a machine on that segment, and then
netsh interface ipv6 show neighbors
in a command window
11-02-2010 11:46 AM
I like this one... I did track down the client using the other method, but, this is a nice feature also... Nice mapping of the IPv6 to the IPv4 addressing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide