Ask Your Question
0

Why would ipv6 Loopback Adapter traffic be active?

asked 2022-07-23 01:25:46 +0000

Vtechie gravatar image

updated 2022-07-23 10:04:10 +0000

Guy Harris gravatar image

Why would ipv6 Loopback Adapter traffic be active in Wireshark when I have the IPv6 disabled on my Windows 10 laptop and in my router. How can I use Wireshark to find the real device connecting to my computer, looking like it is my computer.

Thank you, Vtechie

Frame 7: 676 bytes on wire, 676 bytes captured on interface \Device\NPF_Loopback, id 0
    Interface id: 0 (\Device\NPF_Loopback)
        Interface name: \Device\NPF_Loopback
    Encapsulation type: NULL/Loopback (15)
    Arrival Time: Jul 22, 2022 14:55:29.123198000 Central Daylight Time
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 1.198113000 seconds]
    [Time delta from previous displayed frame: 1.198113000 seconds]
    [Time since reference or first frame: 173.999209000 seconds]
    Frame Number: 7
    Frame Length: 676 bytes (5408 bits)
    Capture Length: 676 bytes (5408 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: null:ipv6:udp:data]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Null/Loopback
    Family: IPv6 (24)
Internet Protocol Version 6, Src: ::1 (::1), Dst: ff02::c (ff02::c)
    0110 .... = Version: 6
    <0110 .... = Version: 6 [This field makes the filter match on "ip.version == 6" possible]>
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... 1101 1111 1010 0001 1111 = Flow Label: 0xdfa1f
    Payload Length: 632
    Next Header: UDP (17)
    Hop Limit: 1
    Source Address: ::1 (::1)
    <Source or Destination Address: ::1 (::1)>
    <[Source Host: ::1]>
    <[Source or Destination Host: ::1]>
    Destination Address: ff02::c (ff02::c)
    <Source or Destination Address: ff02::c (ff02::c)>
    <[Destination Host: ff02::c]>
    <[Source or Destination Host: ff02::c]>
User Datagram Protocol, Src Port: 64625 (64625), Dst Port: ws-discovery (3702)
    Source Port: 64625 (64625)
    Destination Port: ws-discovery (3702)
    <Source or Destination Port: 64625 (64625)>
    <Source or Destination Port: ws-discovery (3702)>
    Length: 632
    Checksum: 0x9cd5 [correct]
        [Calculated Checksum: 0x9cd5]
    [Checksum Status: Good]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
    UDP payload (624 bytes)
Data (624 bytes)
    Data: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f …
    Text [truncated]: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/disc
    [Payload MD5 hash: a596eeb26945f308e2d25d79d9e40413]
    [Length: 624]
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-07-23 10:36:24 +0000

Guy Harris gravatar image

updated 2022-07-25 11:07:03 +0000

grahamb gravatar image

Why would ipv6 Loopback Adapter traffic be active in Wireshark when I have the IPv6 disabled on my Windows 10 laptop

"Disabled" in what sense? Do you mean that IPv6 is completely disabled everywhere, or just on your LAN interfaces? If it's just on your LAN interfaces, that's irrelevant, as this is traffic on the loopback adapter, meaning it's traffic sent from a program on your machine to anther program on the same machine, where that traffic is not sent on any real network adapter, it's just being moved around inside the machine, so it's not sent on any of your LAN interfaces.

and in my router.

Given that this is traffic on the loopback adapter, it's not sent on any network adapter, so it is never seen by any other machine on your network, including any routers on the network so the router is irrelevant here.

How can I use Wireshark to find the real device connecting to my computer, looking like it is my computer.

There is no real device connecting to your computer, it's just traffic from one program on your machine to another program on your machine.

Perhaps the program sending the multicast packet is sending it from all addresses, including the IPv6 localhost address.

edit flag offensive delete link more

Comments

Thank you so very much. IPv6 is disabled in my router settings and on my computer settings. I cannot find away to disable it on my iPhone settings. I saw a Youtube video on networking that you have to enable IPv6 to have link local traffic from it. In the video they configured it with MTPutty, which I cannot run on my computer because I am overpowered by what ever is accessing my LAN or WAN, same with Lansweeper and some sysinternals, well most of them.

Vtechie gravatar imageVtechie ( 2022-07-24 19:46:34 +0000 )edit

IPv6 is disabled in my router settings

That's irrelevant here, as this is loopback traffic that goes from your machine back to your machine internally, without ever being sent on a physical network and thus without ever touching your router.

and on my computer settings.

What setting is the one that disables IPv6?

I saw a Youtube video on networking that you have to enable IPv6 to have link local traffic from it.

This is LOOPBACK traffic that doesn't go out on any physical network link, not link-local traffic.

Guy Harris gravatar imageGuy Harris ( 2022-07-25 09:45:07 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-07-23 01:25:46 +0000

Seen: 437 times

Last updated: Jul 25 '22

Related questions

I am trying to capture TCP SYN on IPv6 packets but I only get IPv4.

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

How to capture ethernet traffic?

Why am I not seeing unique traffic

How do Wireshark resolve addresses

Am I able to use wireshark to observe large (10G) traffic congestion?

Fix IPv6 identification for pflogs

How can I extract parameters from pcap

Help with a TCP Reset Issue

How to identify the facebook traffic in wireshark?