1

I have suspicion that my home network may be comprimised and used by malicious actors.

I'm a networking noob so I would like to know if having a Neighbour Solicitations sent >2000 is normal?

I got these stats from running the command netstat -s:

IPv4 Statistics

  Packets Received                   = 44873
  Received Header Errors             = 0
  Received Address Errors            = 0
  Datagrams Forwarded                = 0
  Unknown Protocols Received         = 1
  Received Packets Discarded         = 3479
  Received Packets Delivered         = 62550
  Output Requests                    = 48541
  Routing Discards                   = 0
  Discarded Output Packets           = 389
  Output Packet No Route             = 0
  Reassembly Required                = 0
  Reassembly Successful              = 0
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 0
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 0

IPv6 Statistics

  Packets Received                   = 1991
  Received Header Errors             = 0
  Received Address Errors            = 0
  Datagrams Forwarded                = 0
  Unknown Protocols Received         = 0
  Received Packets Discarded         = 1229
  Received Packets Delivered         = 34570
  Output Requests                    = 36382
  Routing Discards                   = 0
  Discarded Output Packets           = 1979
  Output Packet No Route             = 0
  Reassembly Required                = 0
  Reassembly Successful              = 0
  Reassembly Failures                = 0
  Datagrams Successfully Fragmented  = 0
  Datagrams Failing Fragmentation    = 0
  Fragments Created                  = 0

ICMPv4 Statistics

                            Received    Sent
  Messages                  509         444
  Errors                    0           0
  Destination Unreachable   462         416
  Time Exceeded             19          0
  Parameter Problems        0           0
  Source Quenches           0           0
  Redirects                 0           0
  Echo Replies              16          12
  Echos                     12          16
  Timestamps                0           0
  Timestamp Replies         0           0
  Address Masks             0           0
  Address Mask Replies      0           0
  Router Solicitations      0           0
  Router Advertisements     0           0

ICMPv6 Statistics

                            Received    Sent
  Messages                  947         3080
  Errors                    0           0
  Destination Unreachable   943         943
  Packet Too Big            0           0
  Time Exceeded             0           0
  Parameter Problems        0           0
  Echos                     0           0
  Echo Replies              0           0
  MLD Queries               0           0
  MLD Reports               0           0
  MLD Dones                 0           0
  Router Solicitations      0           6
  Router Advertisements     0           0
  Neighbor Solicitations    2           2127
  Neighbor Advertisements   2           4
  Redirects                 0           0
  Router Renumberings       0           0

TCP Statistics for IPv4

  Active Opens                        = 1454
  Passive Opens                       = 543
  Failed Connection Attempts          = 132
  Reset Connections                   = 219
  Current Connections                 = 36
  Segments Received                   = 38050
  Segments Sent                       = 34308
  Segments Retransmitted              = 743

TCP Statistics for IPv6

  Active Opens                        = 85
  Passive Opens                       = 5
  Failed Connection Attempts          = 79
  Reset Connections                   = 2
  Current Connections                 = 0
  Segments Received                   = 914
  Segments Sent                       = 667
  Segments Retransmitted              = 251

UDP Statistics for IPv4

  Datagrams Received    = 26358
  No Ports              = 772
  Receive Errors        = 2818
  Datagrams Sent        = 11585

UDP Statistics for IPv6

  Datagrams Received    = 34871
  No Ports              = 234
  Receive Errors        = 1104
  Datagrams Sent        = 32306

As you can see the Neighbour Solicitation is the only thing that sticks out to me as abnormal or is there anything else showing above or below that could be abnormal?

ICMPv6 Statistics

                            Received    Sent
  Messages                  947         3080
  Errors                    0           0
  Destination Unreachable   943         943
  Packet Too Big            0           0
  Time Exceeded             0           0
  Parameter Problems        0           0
  Echos                     0           0
  Echo Replies              0           0
  MLD Queries               0           0
  MLD Reports               0           0
  MLD Dones                 0           0
  Router Solicitations      0           6
  Router Advertisements     0           0
  Neighbor Solicitations    2           2127
  Neighbor Advertisements   2           4
  Redirects                 0           0
  Router Renumberings       0           0

Thanks!

Improve this question

1 Answer 1

Reset to default
1

Yes and no – the number looks about normal in isolation, although it's a bit high compared to the number of received Neighbor Solicitations (as well as compared to the number of received Neighbor Advertisement responses), as the four counters should normally be approximately in the same range.

ICMPv6 Neighbor Solicitations have the same primary purpose as ARP queries in IPv4 – they translate IP addresses to MAC addresses. So your computer sends an ICMPv6 NS whenever it wants to contact an IPv6 address in its own subnet and therefore needs to know the MAC address. (This includes using that address as a gateway, not only talking to it directly – so if you have IPv6 then there will be Neighbor Solicitations sent to your router's address.)

If there's no device with that address, there might be up to 3 (or 5?) NS attempts until your computer gives up. After a few minutes, if a program still keeps trying to contact that address, there will be a few more NS queries, etc. (For example, I have Syncthing installed on my desktop and it frequently tries to reach my laptop, which might be asleep at that time.)

They also have a secondary purpose for Neighbor Unreachability Detection (though ARP queries in IPv4 are sometimes also used this way but it's not part of a standard) – inactive neighbor cache entries are more proactively marked as "stale" in IPv6 and new Neighbor Solicitations are sent directly to that device to verify its aliveness even though its MAC address is still known. (I forgot the exact details though.)

(Note: Even if your ISP doesn't provide IPv6, and if you don't have a global IPv6 address, there's still a high chance that your router will have a local 'fdXX:' IPv6 network set up – and it will be automatically used for things like Windows file sharing, etc.)

In general, there's a very easy way to see what's happening behind those statistics: use a packet capture tool such as Wireshark or Microsoft Network Monitor (or the command-line tshark, tcpdump, pktmon). They will literally show you the actual Neighbor Solicitation packets going out.

Improve this answer
1
  • This is very well explained and yes my ISP does not provide IPv6 but my desktop pc shows a local IPv6 network set up! Also I will research further into Wireshark or ms network monitor. Thanks!!
    – RedRum
    Commented Sep 26, 2022 at 16:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .