IPv6 Address Statistics based on DAD Messages

After my Tcpdump script for storing MAC-IPv6 address bindings via the Duplicate Address Detection messages (link) and an analysis of the realibility of them (here), I had the idea of a Linux script that analyzes the Tcpdump output for obtaining some IPv6 address statistics. It should not show concrete bindings between MAC- and IPv6-addresses, but the number of different kind of IPv6 addresses, such as link-local or global-unicast addresses, built with or without EUI-64, etc.

In the following, I will present my script and will show the results after running it through the DAD logs of a whole month (March 2014) in a BYOD-WLAN with more than 100 clients.

Global Unicast vs. Link-Local

The script reads out a DAD logfile which must be generated like presented in my frist blogpost for DAD messages (link). It then “analyzes” them with several simple shell commands such as sed, sort, uniq, and grep, all piped behind each other. In the end, a “wc -l” counts the number of addresses for each request. The main idead was to analyze the distribution of global unicast and link-local IPv6 addresses, separated to “EUI-64 based address” or “random (e.g. privacy extended) address”.

As an example, this is the command that counts the global unicast IPv6 addresses:

 

My script is the following. Make it executable (chmod u+x ipv6addrstats) and call it with the dad-logfile specified:

 

Here is a sample output from my DAD sniffing over a month (published here) with the ipv6addrstats script. It shows the number of MAC- and IPv6-addresses, separated into Global Unicast and Link-Local. Furthermore, both categories are split into “ff:fe” types of addresses and “random looking” ones. (Note that Windows uses static but random IIDs for its link-local addresses in addition to the privacy extensions for global unicast addresses):

That’s it. ;)

Though my script does not visualize these values, I drew a simple graph with Excel to better interpret these values. Here it is. The most interesting part is the wide usage of the Privacy Extensions:

IPv6 DAD Address Statistics

 

However, I was interested in a few more analysis of the DAD file that go beyond a simple count of addresses. Here they are:

How many IPv6 addresses per MAC?

I was interested in the following: How many IPv6 addresses has a single MAC address created? Of course, I can produce a detailed list with all concrete IPv6 addresses per MAC address, but I was almost interested in the mere count of addresses. Here is my selection:

This produces the following output. (I only list the first and last few entries here). Really interesting that some clients generated a few hundred IPv6 addresses over the measured 30 days:

 

A similar selection is the count of DAD messages per MAC address. The request looks like that:

And here is the sample output, of course with mostly the same MAC addresses in the first rows compared to the sample output above:

Leave a Reply

Your email address will not be published. Required fields are marked *