How To Read IPv6 Addresses

A common complaint about IPv6 is that addresses are “hard to read”. If you’ve been in the networking world any length of time IPv4’s dotted quad is most likely seared into your brain and clumps of hexadecimal digits of varying lengths can can be hard to wrap your head around. However, those clumps can provide useful information.

Below I’ll go over some of the address types I’ve seen and show you what information they provide. Continue reading

Wireshark Has a New Home

By now you may have seen the press release and announcement about the purchase of CACE Technologies (my as-of-three-and-a-half-seconds-ago former employer) by Riverbed Technology (my new employer). In the announcement to the wireshark-users and wireshark-dev mailing lists I mentioned Riverbed’s commitment to the Wireshark community. I’d like to expand on that a bit.

Wireshark is more than a protocol analyzer. It is the foundation for relationships between several groups of people: the user community, the developer community, Wireshark University (driven by Laura Chappell), and CACE Technologies. Each one is an important part of Wireshark as a whole. We often referred to it as “the ecosystem” at CACE. It is an honor to be a part of it.

The important, wonderful, and rare thing about the ecosystem is that it benefits everyone involved. You can see this in action on Wireshark’s mailing lists, Laura’s seminars, and at SHARKFEST. It’s something that we worked hard to foster at CACE. What’s even better is that with Riverbed this commitment doesn’t change. Everyone I’ve talked to at Riverbed, from the CEO and CTO on down is committed to Wireshark and to its community. They realize we have a good thing going and they want to keep it that way.

On a personal level this has been an incredible journey so far. Every day I get to work with the amazing people on the Wireshark development team and at CACE. I also get to interact with the amazing people who make up the Wireshark community. For that I am grateful and I look forward to helping the ecosystem grow and evolve in the coming years.


There have been requests over the years for an online forum for Wireshark. I’m not too crazy about traditional forums, particularly for support. You often end up digging through a lot of not-so-useful content to get to the information you’re looking for.

(If you can see where this is going and are impatient, you can go straight to the new support Q&A site now. Otherwise read on.)

Last year Jeff Atwood and Joel Spolsky started Stack Exchange, a collection of question & answer sites including Stack Overflow, Server Fault, and Super User. SE fixes everything that’s wrong with traditional form software. Useful answers can be voted up by the community, and “hot” questions are listed first.

Stack Exchange is wonderful but they require you to host your content on their servers. This is goes against my control freak sensibilities, so I had to look elsewhere for a solution. I found OSQA. The software is still beta, but it’s quite functional and becoming quite popular.

Here are some of the things you can do with OSQA:

Vote questions and answers up and down

This means that the good stuff floats to the top. Additionally the person who posted the question can select one answer as the best.

Comment on questions and answers

This lets you have a traditional forum-style linear discussion when you need it.

Tag questions

Tags let you categorize questions. For instance the python tag on Stack Overflow will give you all of the Python programming questions.

Earn karma

As you ask questions and provide helpful answers you gain karma points. This lets you do things like…

Edit content

Power users can correct, clarify, or otherwise make helpful changes to things others have posted.

Q&A sites aren’t for everyone. They tend to work best when you have a bunch of helpful, active, and knowledgeable people willing to exchange ideas in a particular field. As luck would have it this describes the Wireshark community to a tee.

Go try it for yourself at

Antivirus Outbreak

Wednesday, August 4, 8:00 AM

We receive a phone call from someone complaining about “Wireshark Antivirus”. I take the call. The person on the other end isn’t able to provide many details other than that a program named “Wireshark Antivirus” is displaying some a shield and directing him to the web site.

This is new. We’ve been on the receiving end of a few false positives in the past but this is new. Some jackass is using our name do do harm.

This will not end well. Continue reading

Sharkfest ’10 Recap

Sharkfest ’10 ended a week ago today and I’m still reeling. The conference started with a keynote from Van Jacobson and ended with one from Harry Saal, two monumental figures in our industry and very nice people to boot. Attendees traveled from all over the globe, from large companies to single-person operations. The presentations were packed with information and it was great to see how experts tackle packet-level network monitoring and troubleshooting. If you missed out we’re getting the presentations online as fast as we can.

Continue reading

T-Mobile: Clever or Insane?

I recently got an Android phone. After downloading the Android SDK I noticed that my cellular provider (T-Mobile) was doing something odd. According to the netcfg command they’re using on their GPRS/EDGE network:

$ netcfg
lo       UP       0x00000049
dummy0   DOWN         0x00000082
rmnet0   UP 0x00001043
rmnet1   DOWN         0x00001002
rmnet2   DOWN         0x00001002
sit0     DOWN         0x00000080
ip6tnl0  DOWN         0x00000080

T-Mobile doesn’t own that netblock. The UK Ministry of Defence does. Why would they do such a thing? After all, RFC 1918 gives you three whole blocks (,, and to do with as you please. Straying from those on your private will damn you to an eternity of network flakiness and give your twisted pair cabling scurvy, right?

Why this is clever

According to several BGP looking glasses and figure 5 of Geoff Huston’s IPv4 Address Report the Ministry of Defence doesn’t advertise any routes for That means that none of the 25.x.x.x addresses are being used on the public Internet. If you’re on a private network they’re effectively free for the taking. But still, why aren’t they using the officially-sanctioned RFC 1918 address?

My phone also has an 802.11 interface. Let’s take a look at netcfg’s output when I’m connected to T-Mobile’s network and my home network:

$ netcfg     
lo       UP       0x00000049
dummy0   DOWN         0x00000082
rmnet0   DOWN 0x00001002
rmnet1   DOWN         0x00001002
rmnet2   DOWN         0x00001002
sit0     DOWN         0x00000080
ip6tnl0  DOWN         0x00000080
eth0     UP   0x00001043

See the That could just as easily be,, or any other RFC 1918 address. On many networks (particularly universities) it could even be a public address. T-Mobile has no way of predicting or controlling what happens on that interface. The netblock has the following advantages:

  • It doesn’t overlap with any other network, public or private. Therefore you won’t get any routing confusion when the phone is connected on GPRS/EDGE and WiFi at the same time.
  • It’s not in public use. The next Facebook or Lolcats isn’t going to show up with a 25.x.x.x address, thereby causing routing confusion for your users.
  • Even if the UK MoD is handing out 25.x.x.x address over 802.11 they’re way over in the UK. It’s unlikely that my phone will be connected to the MoD and T-Mobile networks at the same time.

Why this is insane

IPv4 addresses are getting scarce. Who says the MoD won’t turn the netblock over to RIPE or IANA next week? Even then my phone has to go through a proxy server on T-Mobile’s network so it’s probably not a huge deal.


Just before publishing this I ran netcfg and my phone was using The netblock used to be reserved for public data networks but was allocated to APNIC earlier this month. I wonder what other questionable netblocks they’re using.

Sharkfest ’10 Is Going To Be Awesome

We just finalized the schedule for Sharkfest ’10. This year’s agenda includes:

  • Van Jacobson and Harry Saal, who formed protocol analysis with their bare hands
  • Two three wireless security experts including Mike Kershaw and Thomas D’Otreppe, the creators of Kismet and Aircrack-ng
  • Network security experts including nmap creator Gordon “Fyodor” Lyon
  • Five six many amazing protocol analysis instructors, including Laura Chappell, Betty DuBois, Sean Walberg, and Joe Bardwell
  • Several members of Wireshark’s development team
  • Protocol, network, and application performance experts from Citi, Google, and Intel
  • Lots of other great presenters. See for yourself.

The attendees are amazing and knowledgeable as well.

Tell your boss I said you should go.

The History of Wireshark in 3 minutes

Few days ago, I learned about a cool visualization program called Codeswarm which, surprisingly, is made by a guy that lives in Davis California like me. Codeswarm can be fed with the logs from a source code repository and produces an animated history of that source code. Soon enough, my weekend project became the creation a video that would condense the 11+ years of the Wiresahrk source code in 3 minutes. The result can be seen here:

This entry was posted in Video.

Running Wireshark as You

Running Wireshark on Linux involves an interesting challenge1: Capturing packets requires root access, but Wireshark is big program and we strongly recommend against running it with elevated privileges. On Linux it’s common to see Wireshark running as root, but this is nearly unheard for similarly-sized applications like Firefox and GIMP. How can we avoid running Wireshark as root? Continue reading