Ethereal-users: Re: [Ethereal-users] ARP decoding problems
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Wed, 11 Oct 2000 00:57:03 -0700
On Tue, Oct 10, 2000 at 08:13:32AM -0400, Shawn Starr wrote: > Line: 0020: on the decoding of arps shows incorrect information > Target hardware address: 00:00:00:00:00 > > is always 12 0's? > > Isn't this supposed to be the destination of the MAC address of machine > its trying to reach? No, because an ARP request is trying to *FIND* the MAC address of a machine with a given IP (or other protocol) address, so the MAC address of the machine it's trying to reach can't be put into the packet (unless it puts the address it got when it last tried ARPing for that IP address, said address presumably having timed out). To quote RFC 826, " An Ethernet Address Resolution Protocol" (with some paragraph breaks inserted; perhaps Dave Plummer's <Return> or <Enter> key wasn't working...) - note the stuff I've emphasized by underlining it with "^^^": To communicate mappings from <protocol, address> pairs to 48.bit Ethernet addresses, a packet format that embodies the Address Resolution protocol is needed. The format of the packet follows. Ethernet transmission layer (not necessarily accessible to the user): 48.bit: Ethernet address of destination 48.bit: Ethernet address of sender 16.bit: Protocol type = ether_type$ADDRESS_RESOLUTION Ethernet packet data: 16.bit: (ar$hrd) Hardware address space (e.g., Ethernet, Packet Radio Net.) 16.bit: (ar$pro) Protocol address space. For Ethernet hardware, this is from the set of type fields ether_typ$<protocol>. 8.bit: (ar$hln) byte length of each hardware address 8.bit: (ar$pln) byte length of each protocol address 16.bit: (ar$op) opcode (ares_op$REQUEST | ares_op$REPLY) nbytes: (ar$sha) Hardware address of sender of this packet, n from the ar$hln field. mbytes: (ar$spa) Protocol address of sender of this packet, m from the ar$pln field. nbytes: (ar$tha) Hardware address of target of this packet (if known). ^^^^^^^^ mbytes: (ar$tpa) Protocol address of target. ... As a packet is sent down through the network layers, routing determines the protocol address of the next hop for the packet and on which piece of hardware it expects to find the station with the immediate target protocol address. In the case of the 10Mbit Ethernet, address resolution is needed and some lower layer (probably the hardware driver) must consult the Address Resolution module (perhaps implemented in the Ethernet support module) to convert the <protocol type, target protocol address> pair to a 48.bit Ethernet address. The Address Resolution module tries to find this pair in a table. If it finds the pair, it gives the corresponding 48.bit Ethernet address back to the caller (hardware driver) which then transmits the packet. If it does not, it probably informs the caller that it is throwing the packet away (on the assumption the packet will be retransmitted by a higher network layer), and generates an Ethernet packet with a type field of ether_type$ADDRESS_RESOLUTION. The Address Resolution module then sets the ar$hrd field to ares_hrd$Ethernet, ar$pro to the protocol type that is being resolved, ar$hln to 6 (the number of bytes in a 48.bit Ethernet address), ar$pln to the length of an address in that protocol, ar$op to ares_op$REQUEST, ar$sha with the 48.bit ethernet address of itself, ar$spa with the protocol address of itself, and ar$tpa with the protocol address of the machine that is trying to be accessed. It does not set ar$tha to anything in ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ particular, because it is this value that it is trying to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ determine. ^^^^^^^^^ > I have attach 2 PNG images comparing this with another scanner and they > look very different on the decoding. That's because they're different packets. The "Windows scanner" (NetXRay or Sniffer, right?) is dissecting a packet from 08:00:3e:1a:a4:bc, with the IP address 24.19.144.1, asking for the Ethernet address of 24.19.144.229. Ethereal is dissecting a packet from 08:00:3e:17:1c:d6, with the IP address 24.68.101.1, asking for the Ethernet address of 24.68.101.161. It appears that whatever software the machine at 24.19.144.1/08:00:3e:1a:a4:bc is running put 18:13:90:01:00:00 into the target hardware address field - that's what NetXRay/Sniffer/whatever shows in its hex dump windows, which means that's what was in the packet as seen by the machine running NetXRay/Sniffer/whatever. (It also appears either that NetXRay/Sniffer/whatever is confused, or the bytes highlighted in gray aren't the bytes of the field selected in the protocol tree window, as it's highlighting 10 bytes, but a MAC address has only 6 bytes.) It appears that whatever software the machine at 24.68.101.1/08:00:3e:17:1c:d6 is running put zeroes into the target hardware address field - that's what Ethereal shows in its hex dump window, which means that's what was in the packet as seen by the machine running Ethereal.
- References:
- [Ethereal-users] ARP decoding problems
- From: Shawn Starr
- [Ethereal-users] ARP decoding problems
- Prev by Date: Re: [Ethereal-users] Windows 2000 packet filtering article
- Next by Date: [Ethereal-users] Problems loading files captured with windump
- Previous by thread: [Ethereal-users] ARP decoding problems
- Next by thread: [Ethereal-users] ethereal Problems with HP-UX
- Index(es):