Login

u/haElwKfeiow6

Image 1 — Measuring IPv4 vs IPv6 usage with Wireshark Fairly / Less Biased
Image 2 — Measuring IPv4 vs IPv6 usage with Wireshark Fairly / Less Biased
Image 3 — Measuring IPv4 vs IPv6 usage with Wireshark Fairly / Less Biased
Image 4 — Measuring IPv4 vs IPv6 usage with Wireshark Fairly / Less Biased
Image 5 — Measuring IPv4 vs IPv6 usage with Wireshark Fairly / Less Biased
▲ 9 r/ipv6

Measuring IPv4 vs IPv6 usage with Wireshark Fairly / Less Biased

I am posting this for two reasons:
- I want feedback on the methodology.
- I want to help other people do fair and less biased Wireshark captures when comparing IPv4 and IPv6.

My organization has a “/40” block (since 2012); that being said, we don’t really use it unless someone requests it, which is unfortunate. I’ve been trying to demonstrate to my organization that when given the choice (dual stack) devices and applications, for the most part, prefer IPv6, especially since we have a "cloud first" mentality.

I wanted facts and data to strengthen my argument, so I turned to Wireshark (what an amazing resource, and it’s free). I treated it like a research question: Which protocol gets used for real internet traffic when both are available?

I quickly realized that capturing everything is misleading. If you just capture raw traffic, the results get skewed...

This capture filter is designed to isolate only off network / internet bound traffic for a fair IPv4 vs IPv6 comparison. It excludes internal traffic by dropping packets only when both the source and destination are inside organization-owned address space, while preserving bidirectional traffic between hosts and external internet destinations. It also removes ARP, link-local, multicast, and broadcast traffic, which are local-network mechanisms and would otherwise bias the results.

In other words: internal to internal gets dropped, internal to internet stays, internet to internal stays.

I’ll put easy to read version of the capture filters at the top, and then a copy and paste version at the bottom.

Once the capture is done, go to: Statistics > Protocol Hierarchy. This will give you the protocol distribution.

I redacted the public IPv4 and IPv6 ranges using x placeholders for privacy. I intentionally left the subnet sizes visible because the mask lengths (/16, /25, /24, /40, /56) are important to understanding how the filter works.

Capture filter for at home:

(ip or ip6)

and not arp

and not (ip and src net 10.0.0.0/23 and dst net 10.0.0.0/23)

and not (ip and net 169.254.0.0/16)

and not (ip6 and src net xxxx:xxxx:xxxx:xx00::/56 and dst net xxxx:xxxx:xxxx:xx00::/56)

and not (ip6 and net fe80::/10)

and not (ip and dst net 224.0.0.0/4)

and not (ip6 and dst net ff00::/8)

and not broadcast

Capture filter for organization:

For this filter I had to account for the following: one private IPv4 space example: 10.0.0.0/8, three public IPv4 ranges, specifically: /16, /25, /24, and one IPv6 prefix at /40.

(ip or ip6)

and not arp

and not (

  ip and (

(src net 10.0.0.0/8 and dst net 10.0.0.0/8)

or (src net xxx.xxx.0.0/16 and dst net xxx.xxx.0.0/16)

or (src net xxx.xxx.xxx.128/25 and dst net xxx.xxx.xxx.128/25)

or (src net xxx.xxx.xxx.0/24 and dst net xxx.xxx.xxx.0/24)

  )

)

and not (

  ip6 and (

src net xxxx:xxxx:xxxx::/40 and dst net xxxx:xxxx:xxxx::/40

  )

)

and not (ip and net 169.254.0.0/16)

and not (ip6 and net fe80::/10)

and not (ip and dst net 224.0.0.0/4)

and not (ip6 and dst net ff00::/8)

and not broadcast

Copy & paste versions for Wireshark

(ip or ip6) and not arp and not (ip and src net 10.0.0.0/23 and dst net 10.0.0.0/23) and not (ip and net 169.254.0.0/16) and not (ip6 and src net xxxx:xxxx:xxxx:xx00::/56 and dst net xxxx:xxxx:xxxx:xx00::/56) and not (ip6 and net fe80::/10) and not (ip and dst net 224.0.0.0/4) and not (ip6 and dst net ff00::/8) and not broadcast

(ip or ip6) and not arp and not (ip and ((src net 10.0.0.0/8 and dst net 10.0.0.0/8) or (src net xxx.xxx.0.0/16 and dst net xxx.xxx.0.0/16) or (src net xxx.xxx.xxx.128/25 and dst net xxx.xxx.xxx.128/25) or (src net xxx.xxx.xxx.0/24 and dst net xxx.xxx.xxx.0/24))) and not (ip6 and (src net xxxx:xxxx:xxxx::/40 and dst net xxxx:xxxx:xxxx::/40)) and not (ip and net 169.254.0.0/16) and not (ip6 and net fe80::/10) and not (ip and dst net 224.0.0.0/4) and not (ip6 and dst net ff00::/8) and not broadcast

Using these methods I have observed:

- IPv6 often dominates; I have seen over 90% in some runs.

- Results will vary! What apps you’re using, which sites/services you hit, and CDN behavior.

My questions:

Does this filtering approach look sound?

Am I missing any sources of bias?

Has anyone done large scale measurements like this?

Thanks for reading this far.

Useful Links:

https://wiki.wireshark.org/CaptureFilters

https://www.wireshark.org/docs/wsug_html_chunked/ChStatHierarchy.html

https://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureFilterSection.html

https://www.wireshark.org/docs/man-pages/pcap-filter.html

u/haElwKfeiow6 — 3 days ago