A common complaint about IPv6 is that addresses are “hard to read”. If you’ve been in the networking world any length of time IPv4’s dotted quad is most likely seared into your brain and clumps of hexadecimal digits of varying lengths can can be hard to wrap your head around. However, those clumps can provide useful information.

Below I’ll go over some of the address types I’ve seen and show you what information they provide.

NOTE: I’m not going to explain the basics of IPv6 address formats. Plenty of others have done that elsewhere. Wikipedia and RFC 4291 are good places to start.

Many of Wireshark’s web sites have been available over IPv6 for a while and as I’ve looked through various capture files and server logs patterns have emerged. Most of the addresses in this post are from IPv6 traffic captured in late January 2011. In Wireshark you can view IPv6 addresses via Statistics→Endpoint List→IPv6 or Statistics→Conversation List→IPv6 or by using the display filter “ipv6”.

First let’s look at the network prefixes that were captured. In my sample capture I see the following /16s (which we’ll call chunks for now):

2001::
2002::
2607::
2620::
2a01::
fe80::
ff02::

Most of the traffic in the capture starts with “2”. The prefix 2000::/3 has been assigned for global unicast traffic — that is, traffic you should see on the public internet. Right now you should only see prefixes between 2001::/16 and 2c00::/16 since IANA has only assigned prefixes in that range.

This alone is incredibly useful. A simple regular expression “[23]…:” (a “2” or “3” followed by three characters followed by a “:”) can be used to match public IPv6 traffic. I use this to find IPv6 addresses in Apache access logs.

Wireshark’s display filter engine doesn’t support prefix lengths for IPv6 addresses (not yet, at least) but you can use arithmetic comparisons to find public addresses, e.g. “ipv6.src >= 2000:: && ipv6.src < 4000::”.

Many prefixes in the assigned range are recognizable:

• 2002:: — 6to4 traffic. MTUs from these addresses will probably be lower than normal.
• 2001:470:: — Hurricane Electric. HE provides a popular tunnel broker service, so MTUs from these address will often be lower than normal.
• 2001:0:: — Teredo tunneling.
• Organizations with large v6 deployments such as 2001:420 (Cisco) 2001:4860 (Google)

The prefixes outside the global unicast range (fe80:: and ff02::) are link-local and multicast addresses respectively. Both of these are limited to the local network and typically used for ICMPv6 neighbor discovery.

Now let’s skip over to the last half of the addresses and look at some of the recognizable bits in the host portion:

• ::5efe:xxyy:zzqq — ISATAP. Yet another tunneling technology. xx, yy, zz, and qq represent a tunnelled IPv4 address.
• ::xxyy:zzff:feqq:rrss — SLAAC. This is the machine’s MAC address (xx:yy:zz:qq:rr:ss) with “ff:fe” shoved in the middle.
• ::random digits — A SLAAC privacy extension address.

There are two things of note about these last two. Windows has SLAAC privacy extensions enabled by default, while other operating systems (particularly Linux and OS X) don’t. You can often tell machine’s OS by looking at the host portion its IPv6 address. Furthermore, one of the big complaints about IPv6 (big hairy addresses) is actually a feature.

Now take a look at the following addresses. Notice anything unusual?

2620:12::5
2001:4860:8004::68
2001:420:80:1::5

Compared to the formats above they’re short. The host portion is mostly zeroes. These are manually assigned. In this case they’re all web server addresses. I added them to demonstrate that the length of IPv6 addresses is often up to you.

Are there any patterns or address types I missed? Feel free to share them below.