Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Track Down IPv6 Client

Hi All,

I think it's about time to buy an Implementing Cisco IPv6 book for me...  How in the world do I track down an IPv6 client in my network.  I didn't even realize that IPv6 was possible in my network without me turning on some IPv6 routing functionality which I havn't done yet unless it's on by default in a SUP720 within a 6509.  My MARS box keeps alerting me however to an IPv6 host that is up to something on the network and I have no idea how to track it down, the usual sh arp, etc don't seem to provide any details, and I thought maybe the sh ipv6 neighbors command might show some link locals (no dice), BGP dosn't show any random connected IPv6 addresses, etc:

evIdsAlert:  eventId="1286219265976162966"  severity="high"  vendor="Cisco" 
    originator: 
        hostId:  ********
        appName:  sensorApp 
        appInstanceId:  644 
    time:  Oct 5 2010 15:51:26 EDT (1286308286391787000)  offset="-240"  timeZone="UTC" 
    signature:  created="20050603"  type="vulnerability"  version="S433"  description="UPnP LOCATION Overflow"  id="4058" 
        subsigId:  2 
        sigDetails:  LOCATION \x3c100+ Chars> 
        marsCategory:  Penetrate/BufferOverflow/Misc 
    interfaceGroup:  vs0 
    vlan:  15 
    participants: 
        attacker: 
            addr:  0.0.0.0  locality="OUT" 
            port:  1900 
            ipv6Address:  fe80::f515:3a70:a0a2:a1fe  locality="OUT" 
        target: 
            addr:  0.0.0.0  locality="OUT" 
            port:  1900 
            ipv6Address:  ff02::c  locality="OUT" 
            os:  idSource="unknown"  relevance="unknown"  type="unknown" 
    riskRatingValue:  90  targetValueRating="medium" 
    threatRatingValue:  90 
    interface:  ge0_7 

I googled and searched these forums for the same question that I'm sure other's have and didn't find any good results.  Is there any functionality I need to turn on to track these hosts down?  I'm not even running a box that has IPv6 support enabled so I couldn't do any traces or pings...  Oy vey!

  • LAN Switching and Routing
3 REPLIES
New Member

Re: Track Down IPv6 Client

Well if you don't have IPv6 enabled on your switch you can still probably figure out what host that is because of the type of address it is. That address is a link-local ip6 address so it will only be on the same broadcast domain where that sensor is, unless it's an rspan port or such. Anyways, since it's a link-local address it most likely is using the last 64 bits of the address from it's 48bit mac address.

This link can show you how to find out how to convert a 48bit mac address to a link local address: http://msdn.microsoft.com/en-us/library/ms737595(VS.85).aspx

Once you know what the mac address is, it should be fairly simple process of finding what switchport it came from.

Cisco Employee

Re: Track Down IPv6 Client

Well, the good news is that this device, whatever is it, should be on the same layer 2 network ("link") as the sensor.

Any modern MacOS or Windows Vista PC speak IPV6 out of the box and at the link layer (but doesn't get a Global Address unless you set up an IPV6 router.)

Running "Network Map" on a Windows 7 or Windows Vista machine may be illustrative.

Ping the address from a machine on that segment, and then

netsh interface ipv6 show neighbors

in a command window

New Member

Re: Track Down IPv6 Client

I like this one...  I did track down the client using the other method, but, this is a nice feature also...  Nice mapping of the IPv6 to the IPv4 addressing.

2130
Views
10
Helpful
3
Replies