On 30/07/21 12:28, Marco Davids (SIDN) via Wireshark-dev wrote:
Hello,
I have an idea for a new feature in Wireshark and would like to hear
your take on it:
In Wireshark, under the 'Ethernet II'-section (when the 'name
resolution' preference is set appropriately) the MAC addresses are
'resolved' to manufacturer names. This can be a handy feature.
What about extending this capability to (applicable) IPv6 SLAAC
(RFC4862) addresses as well?
Unless some form of privacy enhancement was used (like RFC4941), quite a
few SLAAC IPv6 addresses contain an RFC4291 interface identifier, that
can easily be reversed into a MAC-address, which in turn can be used to
discover manufacturer names. As such, these IPv6 addresses contain
useful debugging information and it would be great is Wireshark can
easily display a manufacturer to the IPv6 address in question,
especially in the 'statistics endpoints' overview.
I realize that for privacy reasons a majority of IPv6 addresses is
generated differently nowadays and can't be used this way, but some
preliminary testing showed that there are still quite a few addresses
that can.
Examples:
2001:db8::86c7:eaff:fe1e:fe46 would resolve to 'Sony Corporation'
2001:db8::de91:bfff:fec5:4f66 to 'Amazon Technologies Inc.'
2001:db8::215:5dff:fe01:b446 to 'Microsoft Corporation'
2001:db8::201:c0ff:fe06:3552 to 'CompuLab, Ltd.'
2001:db8::be05:43ff:fefb:281f to 'AVM GmbH'
etc.
Looking a bit closer to the last example:
Address: 2001:db8::be05:43ff:fefb:281f
translates into: bc:05:43:fb:28:1f
is: 'AVM GmbH'
That's a well-known vendor of Fritz!Box and related products.
So, If I would be debugging traffic from 2001:db8::be05:43ff:fefb:281f,
reaching me from a few hops away on the internet, in this particular
case I could assume it was some sort of AVM product I'm dealing with.
Let me know what you think and if you deem this feasible.
There is already an IPv6 "SA MAC" field in Wireshark that does what you
want.
The aggregate statistics for that could probably find a place under
"IPv6 Statistics". Not so much "Endpoints" IMO.
Cheers,
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe