PAS-10: Take encapsulated IPv6 Traffic into account

Issue Information

Issue Type: New Feature
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Done (2015-11-27 13:15:50)
Affects Version: 0.1,
Target version: 0.1,
Labels: Encapsulation, IPv6,

Created: 2015-11-24 16:45:07
Time Spent Working
60 minutes
30 minutes
30 minutes

Currently if an IPv6 tunnel such as those provided by Helium's tunnelbroker is used we get some misleading results

IP is the Helium endpoint.
The destination port (993) is correct, however the actual destination was 2a00:1450:400c:c02::6d which is a Google operated mailserver
ben@milleniumfalcon:/tmp$ host 2a00:1450:400c:c02::6d domain name pointer

From a single PCAP the current analysis implies that the helium endpoint is running a bunch of services that it isn't 443 80 993

The script needs to identify packets where IPv6 has been tunnelled over IPv4 and act accordingly

Issue Links

Toggle State Changes


Excluding the encapsulated traffic is fairly straight forward
ben@milleniumfalcon:/tmp$ tshark -q -r LAN-64-Sample-7-split.pcap2 -Y 'ssl.handshake and ((ip.version == 4 and ipv6.version != 6) or (ipv6.version == 6) and ip.version !=6)' -T fields -e frame.time_epoch -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite > test.txt

Running a second to only include encapsulated traffic (with the ip dest/src fields changed) would be fairly simple too.

I don't particularly like the idea of having to run every single check twice though, might be better to add a seperate set of fields into the CSV to record IPv6 src/dest. It'd also make encapsulated traffic immediately obvious at a glance

Something like
ben@milleniumfalcon:/tmp$ tshark -q -r LAN-64-Sample-7-split.pcap2 -Y 'ssl.handshake' -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ipv6.src -e ipv6.dst -e tcp.srcport -e tcp.dstport -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite > test.txt

Though normally I'd chuck new fields on the end of the CSV, as it's dest/src IP it really does need adding towards the beginning. Will mean updating field numbering elsewhere in the script though.

So, within the webtraffic csv our fields would change from those defined in PAS-8 to
epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port, FQDN, HTTP request method, Request Path, HTTP Referer, HTTP useragent, http cookie, SNI Server name, SSL/TLS ciphersuite(s)

IPv4 encapsulated IPv6 traffic can be indentified by there being source and dest addresses in both the IPv4 and IPv6 columns

Will give it a little more thought before actually making the changes, but it looks like it should work OK
Marking as related to PAS-8 as if the above is implemented, it'll change the behaviour defined there. If that proves to be the case, PAS-8 should have a comment added to note the change
Commit 89719a6 moves the initial fields (epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port) into a variable to make future updates (and introduction of new tshark calls) simpler.

Commit 17a6375 introduces the new fields for IPv6 and updates field numbers wherever used in the script.

Taking the example used when raising the issue, we now get the following result (PAS-5 changed the way ciphersuites are recorded).
1447859665.899986000	2001:470:69d7:4ca:a00:27ff:fe30:d463	2a00:1450:400c:c02::6d	57319	993				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ...snip...

Will need to update the documentation file to reflect this change

Repo: PCAPAnalyseandReport
Commit: 89719a608fe85fc1e0bbac5942464bbff9c95d5c
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 14:18:19 2015 +0000
Commit Message: Moved initial fields to variable ready for PAS-10

Modified (-)(+)

Webhook User-Agent


View Commit

Repo: PCAPAnalyseandReport
Commit: 17a637572c5dcf87cab0812bc8d010b1ab52dae5
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 14:54:10 2015 +0000
Commit Message: Added IPv6 Source and Destination as new standard fields. See PAS-10

Modified (-)(+)

Webhook User-Agent


View Commit

In terms of analysing traffic, the following is now true

Native IPv4
- Fields 2 and 3 will be populated
- Field's 4 and 5 will be empty
cat webtraffic.csv | awk -F'    ' 'length($2) && length($3)&& !length($4) && !length($5)'

Native IPv6
- Fields 4 and 5 will be populated
- Field's 2 and 3 will be empty
cat webtraffic.csv | awk -F'    ' '!length($2) && !length($3)&& length($4) && length($5)'

Tunnelled IPv6
- Field's 2 and 3 will be populated
- Fields 4 and 5 will also be populated
cat webtraffic.csv | awk -F'    ' 'length($2) && length($3)&& length($4) && length($5)'

So even where both native and tunnelled IPv6 are in use (not sure why you would, but someone out there has probably found a reason) it should be possible to easily discern between the two.
btasker changed timespent from '0 minutes' to '30 minutes'

Repo: PCAPAnalyseandReport
Commit: 80baaddb666111687216752af85a0217c3a51d28
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 14:59:15 2015 +0000
Commit Message: Added updated field structure for PAS-10

Modified (-)(+)

Webhook User-Agent


View Commit

All seems to be working correctly, marking as complete.
btasker changed status from 'Open' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'
Re-opening to assign to a component
btasker removed 'Done' from resolution
btasker changed status from 'Closed' to 'Reopened'
btasker changed status from 'Reopened' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
2015-11-25 15:14:36

Time Spent: 30 minutes
Log Entry: Implementing, testing and documenting