Ethereal-users: [Ethereal-users] RESUME: ARP reply before the request

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: akira.nakandakare@xxxxxxxxxxxxx
Date: Thu, 4 Apr 2002 14:58:57 +0200
After the replies I received and after doing some tests, I was able to 
understand what is going on (at least I hope so).

> -----Original Message-----
> From: Nakandakare, Akira 
> Sent: Wednesday, April 03, 2002 3:14 PM
> To: 'ethereal-users@xxxxxxxxxxxx'
> Subject: RE: [Ethereal-users] ARP reply before the request
> 
[...]
> > > But when I was verifying some ARP requests, Ethereal has 
> > shown me that 
> > there were ARP replies before the ARP requests. Does anyone 
> > know how I 
> > got this?

I've tried to send some other messages and requests and almost them all 
had the same problem. I've also made other tests and it seems that the 
messages that my machine (where I'm running Ethereal) sends require 
more time to be captured than the others machines' messages.

[...]
> And capturing all the packets, I've realized that in this LAN 
> there are a lot of ARP requests without reply. In fact, the 
> only ARP replies I've found in the network are the replies 
> directed to my computer. (And I do capture the packets in 
> promiscuous mode)

This seems to be due to a switch in the LAN. This switch sends to my 
network interface only the messages it is concerned to. So, I can see 
the ARP requests because they are broadcasted, but I can't see the 
replies because the switch filters them.

As Richard Urwin reminded, this is described in 
http://www.ethereal.com/faq.html#q4.1. I'm sorry for this lack of 
attention, I read this FAQ long time ago and I'd forgotten it.

> Besides that, the ARP requests that my computer produce have 
> only 46 bytes and the other ARP requests have only 60 bytes, 
> which is bellow the Ethernet packet minimum length. And no 
> packet has the Ethernet CRC.
> 
> This is very different from what I've studied. I'm really 
> puzzled. Does someone know what's happening? Could this be a 
> problem of the data capture?

I've studied that an Ethernet message has to be at least 72 bytes long 
in a 10Mb LAN and this is still true. But my network card cuts the 
messages' preamble and CRC before "sending them" to the Ethereal. So, 
without neither the preamble nor the CRC, the minimum size of the 
messages becomes 60 bytes.

For the smaller messages, I've realized that only my machine has 
messages smaller than 60 bytes. So, it really seems that Ethereal 
capture the messages of the machine where it is running in a different 
way, so that it doesn't capture the machine's Ethernet messages padding 
bytes.

As I don't have Ethereal running in another machine, I can't be 
absolutely sure but I hope all this is correct.

I've also made a fast test with Windump and I've got the same behaviour.

Oh, I almost forgot! I'm running Ethereal 0.9.1 with WinPcap 2.2 on a 
Windows 98 (this was not my choice!) station.

Thanks to Richard Urwin, McNuttJ, Rick Farina and Guy for their support.

--
Cleber Akira NAKANDAKARE
Application Lab.
Atmel Nantes SA - France