Hello,
I have an idea for a new feature in Wireshark and would like to hear
your take on it:
In Wireshark, under the 'Ethernet II'-section (when the 'name
resolution' preference is set appropriately) the MAC addresses are
'resolved' to manufacturer names. This can be a handy feature.
What about extending this capability to (applicable) IPv6 SLAAC
(RFC4862) addresses as well?
Unless some form of privacy enhancement was used (like RFC4941), quite a
few SLAAC IPv6 addresses contain an RFC4291 interface identifier, that
can easily be reversed into a MAC-address, which in turn can be used to
discover manufacturer names. As such, these IPv6 addresses contain
useful debugging information and it would be great is Wireshark can
easily display a manufacturer to the IPv6 address in question,
especially in the 'statistics endpoints' overview.
I realize that for privacy reasons a majority of IPv6 addresses is
generated differently nowadays and can't be used this way, but some
preliminary testing showed that there are still quite a few addresses
that can.
Examples:
2001:db8::86c7:eaff:fe1e:fe46 would resolve to 'Sony Corporation'
2001:db8::de91:bfff:fec5:4f66 to 'Amazon Technologies Inc.'
2001:db8::215:5dff:fe01:b446 to 'Microsoft Corporation'
2001:db8::201:c0ff:fe06:3552 to 'CompuLab, Ltd.'
2001:db8::be05:43ff:fefb:281f to 'AVM GmbH'
etc.
Looking a bit closer to the last example:
Address: 2001:db8::be05:43ff:fefb:281f
translates into: bc:05:43:fb:28:1f
is: 'AVM GmbH'
That's a well-known vendor of Fritz!Box and related products.
So, If I would be debugging traffic from 2001:db8::be05:43ff:fefb:281f,
reaching me from a few hops away on the internet, in this particular
case I could assume it was some sort of AVM product I'm dealing with.
Let me know what you think and if you deem this feasible.
Cheers,
--
Marco
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature