[Wireshark-dev] Enhancement suggestion: OUI tool for IPV6 SLAAC addresses

Fri, 30 Jul 2021 04:29:07 -0700 

Hello,
I have an idea for a new feature in Wireshark and would like to hear your take on it: 


In Wireshark, under the 'Ethernet II'-section (when the 'name 
resolution' preference is set appropriately) the MAC addresses are 
'resolved' to manufacturer names. This can be a handy feature.



What about extending this capability to (applicable) IPv6 SLAAC 
(RFC4862) addresses as well?



Unless some form of privacy enhancement was used (like RFC4941), quite a 
few SLAAC IPv6 addresses contain an RFC4291 interface identifier, that 
can easily be reversed into a MAC-address, which in turn can be used to 
discover manufacturer names. As such, these IPv6 addresses contain 
useful debugging information and it would be great is Wireshark can 
easily display a manufacturer to the IPv6 address in question, 
especially in the 'statistics endpoints' overview.



I realize that for privacy reasons a majority of IPv6 addresses is 
generated differently nowadays and can't be used this way, but some 
preliminary testing showed that there are still quite a few addresses 
that can.


Examples:

2001:db8::86c7:eaff:fe1e:fe46 would resolve to 'Sony Corporation'
2001:db8::de91:bfff:fec5:4f66 to 'Amazon Technologies Inc.'
2001:db8::215:5dff:fe01:b446 to 'Microsoft Corporation'
2001:db8::201:c0ff:fe06:3552 to 'CompuLab, Ltd.'
2001:db8::be05:43ff:fefb:281f to 'AVM GmbH'
etc.

Looking a bit closer to the last example:

Address:                2001:db8::be05:43ff:fefb:281f
translates into:        bc:05:43:fb:28:1f
is:                     'AVM GmbH'

That's a well-known vendor of Fritz!Box and related products.


So, If I would be debugging traffic from 2001:db8::be05:43ff:fefb:281f, 
reaching me from a few hops away on the internet, in this particular 
case I could assume it was some sort of AVM product I'm dealing with.


Let me know what you think and if you deem this feasible.

Cheers,

--
Marco




Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe






















					Reply via email to