How to get the IPv6 headers on Windows using raw-socket ?

Question

I would like to implement a sniffer for incident response and forensic investigations, to sniff the traffic and identifying malicious packets and C2 (C&C -Command and Control) IP.

In incident response i can't install npcap/winpcap or other librairies detected by antivirus softwares and i should use the faster way to sniff the local traffic. So i would like to develop a simple CLI sniffer (it must be launched on Windows core servers) in a simple executable file to copy/paste it on the server and launch it with admin privileges.

Context example: a ransomware is running on a server and exfiltrate data, there are some NAT (Network Address Translation) between firewalls and the server (so it's difficult to identifying the the malicious traffic).

I write a POC in python on my github.

How i use my raw socket:

from socket import socket, AF_INET6, SOCK_RAW, IPPROTO_IP, IPPROTO_IPV6, IPV6_PKTINFO, SIO_RCVALL, RCVALL_ON, RCVALL_OFF
sock = socket(AF_INET6, SOCK_RAW, IPPROTO_IP)
sock.bind(("<IPv6 address>", 0))
sock.setsockopt(IPPROTO_IPV6, IPV6_PKTINFO, 0)
sock.ioctl(SIO_RCVALL, RCVALL_ON)
while True:
    data, source_address = sock.recvfrom(65535)
sock.ioctl(SIO_RCVALL, RCVALL_ON)
sock.close()

What i get when i sniff a ICMPV6 packet:

0000  80 00 68 62 00 01 42 dc 61 62 63 64 65 66 67 68  ..hb..B.abcdefgh
0010  69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61  ijklmnopqrstuvwa
0020  62 63 64 65 66 67 68 69                          bcdefghi

It's just the data section without any IPv6 headers so i can't see IPv6 address and protocol type (so i can't parse data).

What i want:

0000   00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00   ..............`.
0010   00 00 00 28 3a 80 fe 80 00 00 00 00 00 00 12 23   ...(:.*........Z
0020   34 45 56 65 67 78 fe 80 00 00 00 00 00 00 00 00   :(B.@.*..P@.....
0030   00 00 00 00 12 23 80 00 68 6a 00 01 42 d4 61 62   .... ...hj..B.ab
0040   63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72   cdefghijklmnopqr
0050   73 74 75 76 77 61 62 63 64 65 66 67 68 69         stuvwabcdefghi

Here i have the Ethernet frame, i would like it but for if you can help me to get only the IPv6 headers, it's okay. If you know how i can get the full ethernet frame, packet and segment it's better for me.

I see IPV6_HDRINCL but it's only to send IPV6 headers not to receive it and i see this RFC, i don't find what i search.

Answer 1

Hi, @Maurice Lambert

This sample illustrates how to use the SIO_RCVALL, SIO_RCVALL_MCAST, and SIO_RECVALL_IGMPMCAST.
It contains parsing routines for displaying packets, setting up the socket and receiving data.
It can get the IPv6 header. But the example has not been updated for a long time, only shows how to get ipv4 header,

The protocol header and protocol address family information has not been updated to IPv6.
You need to add it by yourself.

The documentation has been updated to show that they support IPv6.

Thank you.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

To access the IPv6 headers on Windows using raw-socket, you need to set the IP_HDRINCL option on the socket to true. This will tell the socket to include the IPv6 header when receiving packets. You can then use the recvmsg function to read the data and extract the IPv6 header information from it.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 3

Hello Maurice,

The link Network Sniffing on Microsoft Windows contains information on alternative (and better) network tracing mechanisms built into Windows and tips on how to interpret IPv6 raw socket captures.

Gary