Latest version: 2.1.0

NDPMon in the press






edit SideBar


NDPMon generates various reports and alerts. This includes Neighbor Discovery Protocol activities, misconfiguration or non-malicious unexpected RA (Rogue RA) or actual attacks (as described in RFC 3756).

Currently, the following alerts and reports are generated.

Router Advertisement related alerts

  • wrong couple MAC/IP: the MAC address is valid, so is the IP address, but not both of them together
  • wrong router MAC: invalid MAC address
  • wrong router IP address, invalid IP address
  • wrong prefix: invalid IPv6 prefix
  • wrong RA flags: invalid flags in the RA
  • wrong RA params: wrong parameter in the RA (lifetimes, timers...)
  • wrong RA RDNSS option: wrong nameserver advertised in RA
  • wrong RA DNSSL option: wrong domain advertised in RA
  • wrong RA Route Info option: wrong prefix advertised in Route Information option
  • wrong RA Route Info preference: wrong preference announced in Route Information option
  • wrong RA Route Info lifetime: wrong lifetime announced in Route Information option

Router Redirect related alerts

  • wrong router redirect: the router which emitted the redirect is not valid

Neighbor Advertisement related alerts

  • NA router flag in Neighbor Advertisement: a node not declared as a router announced itself as one
  • NA Override flag in Neighbor Advertisement: a node sends a Na with the Override flag set when it should not
  • NA multicast target: NA with a multicast address as target
  • Duplicate Address Detection DOS: duplicate address detection denial of service

Generic alerts

  • new station: new node on the link
  • new IPv6 Global Address: new IPv6 Global address for a node
  • new IPv6 Link Local Address: new IPv6 Link Local address for a node
  • changed ethernet address: a Global IPv6 address has a new MAC address
  • flip flop: a node uses two MAC addresses one after the other
  • reused old Ethernet address: reuse of an old MAC address
  • Unknown MAC Manufacturer: MAC vendor unknown, might be a forged one
  • wrong couple MAC/LLA: wrong couple source Ethernet and source LLA addresses, i.e. Ethernet and Link Local Addresses are found but in different neighbors
  • IP Multicast
  • Ethernet Broadcast
  • Ethernet mismatch: link layer Ethernet address and address in ICMPv6 option do not match