Tracking down the source of IPv6 Router Advertisements in Linux

Recently I was tracking down an issue involving some rogue IPv6 router advertisements in an environment intended to use DHCPv6 only.

I was hoping for an easy way to determine where these RAs were coming from, and what their contents looked like. Enter the radvdump command.

apt install radvdump

Next I was able to run the following query to listen for RA responses. The -d flat is utilized for the maximum verbosity debug level. Note: I had to run this query in a screen session, as the only quick way I could solicit for RA responses is by downing my interface temporarily:

radvdump -d 4

Upon restart of my interfaces, I had the response I was looking for, a full output of the RA response, and most importantly, the link-local address which was providing the response:

[Dec 06 22:04:51] radvdump (3284): receiver if_index: 2
#
# radvd configuration generated by radvdump 2.17
# based on Router Advertisement from fe80::968e:d3ff:fe8a:d49
# received by interface ens4
#

interface ens4
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag off;
        AdvReachableTime 0;
        AdvRetransTimer 1000;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;
        AdvLinkMTU 1500;

        prefix 2607:fdc0:5:9::/64
        {
                AdvValidLifetime 2592000;
                AdvPreferredLifetime 604800;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition

}; # End of interface definition

Utilizing this information I was able to track down the problematic device and fix the issue (P.S. – With Arista routers setting ipv6 nd ra disabled isn’t sufficient to stop all RAs to Linux clients, instead, ipv6 nd ra disabled all was needed).