Hello Jim,
I've made a trace on a simple network (no fancy VLAN stuff). Take a peak
at the attached file which I've produced with 0.10.8 on a Win2k machine.
(warning: long lines). The column headings tell what format it's in,
these are the details (from preferences):
######## User Interface: Columns ########
# Packet list column format.
# Each pair of strings consists of a column title and its format.
column.format: "No.", "%m", "Time", "%t", "Source", "%s", "Src L2", "%hs",
"Src L2 (resolved)", "%rhs", "Src L2 (unresolved)", "%uhs",
"Dst L2", "%rhd", "Destination", "%d", "Protocol", "%p",
"Size", "%L", "Info", "%i"
Now how come there are IP addresses in the HW address resolved columns?
Is this by design or not, and if so it's broken, hence my original
question.
Thanx for the input,
Jaap
On Thu, 20 Jan 2005, James V. Fields wrote:
> This column only resolves the hardware address to a display that
> includes the manufacturer's name. It does not attempt to match a MAC
> address to an IP address. Even if you line this up next to a "network
> address" column, what you're seeing is a result of how layer 2 packet
> forwarding works - any packets coming from the other side of a router
> (from the sniffer's perspective) will show a source MAC of the local
> router interface, which will also be the destination MAC for packets
> destined for machines outside the local net. This is a fairly basic
> layer 2 / layer 3 networking concept worth reviewing. You may want to
> check out the excellent Sniffing FAQ by Robert Graham. His site seems
> to be down, but here is a link to another site hosting the file:
> http://linuxsecurity.net/resource_files/intrusion_detection/sniffing-faq.html
>
>
> Jaap Keuter wrote:
> > Hello list,
> >
> > I've run into trouble with the Hardware to IP address resolution mechanism
> > in Ethereal (check the column Hardware address resolved). It gets confused
> > if multiple LAN's (VLAN's) are present on the same wire. An interface
> > seems to get related to the first IP address seen on a packet from that
> > interface. Can anyone point me to where this resolution mechanism is, and
> > where it gets its knowledge from?
> >
> > Thanx,
> > Jaap
> >
> >
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
No. Time Source Src L2 Src L2 (resolved) Src L2 (unresolved) Dst L2 Destination Protocol Size Info
1 0.000000 192.168.23.103 192.168.23.103 192.168.23.103 00:08:02:ca:6c:6c Broadcast Broadcast ARP 42 Who has 192.168.23.22? Tell 192.168.23.103
2 0.731700 Cisco_71:0e:a8 Cisco_71:0e:a8 Cisco_71:0e:a8 00:02:4b:71:0e:a8 01:00:0c:cc:cc:cd 01:00:0c:cc:cc:cd STP 64 Conf. Root = 32768/00:01:42:48:05:2a Cost = 8 Port = 0x80e9
3 1.214656 HewlettP_d8:b5:b6 HewlettP_d8:b5:b6 HewlettP_d8:b5:b6 00:30:6e:d8:b5:b6 CDP/VTP CDP/VTP CDP 157 Cisco Discovery Protocol
4 1.922094 192.168.23.103 192.168.23.103 192.168.23.103 00:08:02:ca:6c:6c 192.168.23.254 130.139.41.80 SMB 107 Echo Request
5 1.922532 130.139.41.80 192.168.23.254 192.168.23.254 00:d0:bc:f2:03:78 192.168.23.103 192.168.23.103 SMB 107 Echo Response