Ethereal-users: Re: [Ethereal-users] (no subject)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "John E. Mayorga" <jmayorga5@xxxxxxxxx>
Date: Sun, 21 Apr 2002 16:43:03 -0700 (PDT)
Rick, Guy,

Sorry. I have no router. My box is directly connected
to the cablemodem. Before, I was only trying to imply
that I was the only user connected to a hub, which was
connected to a router to which another hub was
connected to which other users were connected,
something like this:

MyBox->Cablemodem->tvCable->Hub->Router
...and from that same Router:
Router->Hub->tvCable->OtherCableModemsInMySubnet
...so, if it is true that I am the only one in my area
(on the local cablemodem "hub", wherever it is), and
that hub was connected to a Router, which was
connected to other hubs, each of which was connected
to zero or more Cablemodems, would that explain the
results I sent in my original email?

John



--- Rick Farina <farinard@xxxxxxxxxx> wrote:
> Okay, here is how it breaks down...all of those
> addresses on your subnet
> look different to me.  What that tells me is that
> there is no router between
> you and the rest of the people on your subnet.
> However what you said in your first email implies
> that you have a router.
> I'm with Guy, do you have a router in your house? 
> What is the EXACT
> internal network configuration?
> 
> Cablemodem -> Cisco XXX router -> RH7.2 box?
> 
> Second of all, type this right now.
> 
> "rpm -ev `rpm -qa | grep ethereal`"
> 
> Then go to www.ethereal.com
> and download the newest version (rpm if you
> like...I'd acctually suggest it)
> 
> Then try this all again....could be a bug in the
> ANCIENT ethereal you are
> running.
> 
> -Rick Farina
> 
> 
> 
> ----- Original Message -----
> From: "John E. Mayorga" <jmayorga5@xxxxxxxxx>
> To: "Rick Farina" <farinard@xxxxxxxxxx>
> Cc: <ethereal-users@xxxxxxxxxxxx>
> Sent: Sunday, April 21, 2002 18:58
> Subject: Re: [Ethereal-users] (no subject)
> 
> 
> Rick,
> 
> I installed arping and created a little script to
> run
> through the subnet. Here is the output:
> 
> ARPING 24.127.52.1 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.1 [00:B0:8E:F7:3C:54]
> 8.803ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.2 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.2 [00:D0:09:61:D7:2F]
> 9.601ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.3 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.3 [00:04:5A:41:2C:F3]
> 51.540ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.4 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.4 [00:02:E3:03:C4:E0]
> 9.096ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.5 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.5 [00:10:4C:12:30:1E]
> 9.515ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.6 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.6 [00:03:47:DB:D7:13]
> 31.087ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.7 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.7 [00:00:C5:3C:9A:32]
> 12.555ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> ARPING 24.127.52.8 from 24.127.52.10 eth0
> Sent 1 probes (1 broadcast(s))
> Received 0 response(s)
> 
> ...
> 
> These MACs are different than the ones reported
> before
> by hunt and ethereal. Is it that all my traffic is
> coming through the router, even that of the other
> members of my subnet, so other programs are
> reporting
> the router's MAC?
> 
> John
> 
> 
> --- Rick Farina <farinard@xxxxxxxxxx> wrote:
> > A good way to properly search for MAC's is
> "arping"
> > http://freshmeat.net/projects/arping/?topic_id=150
> > I suggest you use that to find MAC's.....however,
> an
> > important fact is that
> > anything outside of your router will have the MAC
> > address of your router
> > (ARP is not routed).  Are all of those addresses
> on
> > your side of the router?
> > or are they on the other side.  That is the most
> > obvious conclusion that I
> > have (besides foul play).  Let me know if that's
> > it....otherwise, we can try
> > to diagnose possible foul play.  ;-)
> >
> > -Rick Farina
> > ----- Original Message -----
> > From: "John E. Mayorga" <jmayorga5@xxxxxxxxx>
> > To: <ethereal-users@xxxxxxxxxxxx>
> > Sent: Sunday, April 21, 2002 16:35
> > Subject: [Ethereal-users] (no subject)
> >
> >
> > I'm on at&t @home service, and I've noticed some
> > strangeness in my subnet that I can't explain. I'm
> > sure someone here will know an obvious reason, so
> > here
> > it goes.
> >
> > I'm running on Red Hat 7.2 with an updated kernal
> > from
> > Red Hat. Here is the output from "uname -a":
> >
> > Linux ldap.athlon.com 2.4.9-31 #1 Tue Feb 26
> > 06:23:51
> > EST 2002 i686 unknown
> >
> > The results were gathered from three tools:
> > hunt 1.5 - for gathering MAC addresses
> > nmap V. 2.54BETA22 - for getting a response from
> > members of my subnet
> > ethereal 0.8.18 - general sniffing
> >
> > OK, so here's the "thing" - everybody on my subnet
> > has
> > the same MAC address, including my router. Yow!
> > Something I'm doing wrong, right? Well, let's see:
> >
> > First, I fire up hunt and tell it to collect MAC
> > addresses. While hunt is doing its job, I run "
> > nmap -sP 24.127.52.*". Hunt reports the following
> > while running:
> >
> > ARP: MAC src != ARP src for host 24.127.52.3
> > ARP: MAC src != ARP src for host 24.127.52.4
> > ARP: MAC src != ARP src for host 24.127.52.5
> > ARP: MAC src != ARP src for host 24.127.52.6
> > ARP: MAC src != ARP src for host 24.127.52.7
> > ARP: MAC src != ARP src for host 24.127.52.8
> > ARP: MAC src != ARP src for host 24.127.52.9
> > ARP: MAC src != ARP src for host 24.127.52.11
> > ARP: MAC src != ARP src for host 24.127.52.12
> > ARP: MAC src != ARP src for host 24.127.52.16
> > ARP: MAC src != ARP src for host 24.127.52.17
> > ARP: MAC src != ARP src for host 24.127.52.20
> > ARP: MAC src != ARP src for host 24.127.52.21
> > ARP: MAC src != ARP src for host 24.127.52.22
> > ARP: MAC src != ARP src for host 24.127.52.23
> > ARP: MAC src != ARP src for host 24.127.52.24
> > ARP: MAC src != ARP src for host 24.127.52.26
> > ARP: MAC src != ARP src for host 24.127.52.29
> > ARP: MAC src != ARP src for host 24.127.52.47
> > ARP: MAC src != ARP src for host 24.127.52.48
> > ARP: MAC src != ARP src for host 24.127.52.49
> > ARP: MAC src != ARP src for host 24.127.52.51
> > ARP: MAC src != ARP src for host 24.127.52.52
> > ARP: MAC src != ARP src for host 24.127.52.53
> > ARP: MAC src != ARP src for host 24.127.52.55
> > ARP: MAC src != ARP src for host 24.127.52.57
> > ARP: MAC src != ARP src for host 24.127.52.58
> > ARP: MAC src != ARP src for host 24.127.52.60
> > ARP: MAC src != ARP src for host 24.127.52.61
> > ARP: MAC src != ARP src for host 24.127.52.62
> > ARP: MAC src != ARP src for host 24.127.52.64
> > ARP: MAC src != ARP src for host 24.127.52.65
> > ARP: MAC src != ARP src for host 24.127.52.31
> > ARP: MAC src != ARP src for host 24.127.52.33
> > ARP: MAC src != ARP src for host 24.127.52.37
> > ARP: MAC src != ARP src for host 24.127.52.38
> > ARP: MAC src != ARP src for host 24.127.52.39
> > ARP: MAC src != ARP src for host 24.127.52.67
> > ARP: MAC src != ARP src for host 24.127.52.68
> > ARP: MAC src != ARP src for host 24.127.52.69
> > ARP: MAC src != ARP src for host 24.127.52.70
> > ARP: MAC src != ARP src for host 24.127.52.72
> > ARP: MAC src != ARP src for host 24.127.52.74
> > ARP: MAC src != ARP src for host 24.127.52.75
> > ARP: MAC src != ARP src for host 24.127.52.78
> > ARP: MAC src != ARP src for host 24.127.52.41
> > ARP: MAC src != ARP src for host 24.127.52.42
> > ARP: MAC src != ARP src for host 24.127.52.44
> > ARP: MAC src != ARP src for host 24.127.52.80
> > ARP: MAC src != ARP src for host 24.127.52.82
> > ARP: MAC src != ARP src for host 24.127.52.85
> > ARP: MAC src != ARP src for host 24.127.52.86
> > ARP: MAC src != ARP src for host 24.127.52.87
> > ARP: MAC src != ARP src for host 24.127.52.88
> > ARP: MAC src != ARP src for host 24.127.52.89
> > ARP: MAC src != ARP src for host 24.127.52.90
> > ARP: MAC src != ARP src for host 24.127.52.91
> > ARP: MAC src != ARP src for host 24.127.52.92
> > ARP: MAC src != ARP src for host 24.127.52.93
> > ARP: MAC src != ARP src for host 24.127.52.95
> > ARP: MAC src != ARP src for host 24.127.52.97
> > ARP: MAC src != ARP src for host 24.127.52.98
> > ARP: MAC src != ARP src for host 24.127.52.99
> > ARP: MAC src != ARP src for host 24.127.52.100
> > ARP: MAC src != ARP src for host 24.127.52.101
> > ARP: MAC src != ARP src for host 24.127.52.103
> > ARP: MAC src != ARP src for host 24.127.52.105
> > ARP: MAC src != ARP src for host 24.127.52.107
> > ARP: MAC src != ARP src for host 24.127.52.108
> > ARP: MAC src != ARP src for host 24.127.52.109
> > ARP: MAC src != ARP src for host 24.127.52.110
> > ARP: MAC src != ARP src for host 24.127.52.111
> > ARP: MAC src != ARP src for host 24.127.52.114
> > ARP: MAC src != ARP src for host 24.127.52.115
> > ARP: MAC src != ARP src for host 24.127.52.116
> > ARP: MAC src != ARP src for host 24.127.52.117
> > ARP: MAC src != ARP src for host 24.127.52.118
> > ARP: MAC src != ARP src for host 24.127.52.119
> > ARP: MAC src != ARP src for host 24.127.52.120
> > ARP: MAC src != ARP src for host 24.127.52.121
> > ARP: MAC src != ARP src for host 24.127.52.122
> > ARP: MAC src != ARP src for host 24.127.52.123
> > ARP: MAC src != ARP src for host 24.127.52.124
> > ARP: MAC src != ARP src for host 24.127.52.125
> > ARP: MAC src != ARP src for host 24.127.52.126
> > ARP: MAC src != ARP src for host 24.127.52.130
> > ARP: MAC src != ARP src for host 24.127.52.131
> > ARP: MAC src != ARP src for host 24.127.52.133
> > ARP: MAC src != ARP src for host 24.127.52.134
> > ARP: MAC src != ARP src for host 24.127.52.136
> > ARP: MAC src != ARP src for host 24.127.52.142
> > ARP: MAC src != ARP src for host 24.127.52.146
> > ARP: MAC src != ARP src for host 24.127.52.149
> > ARP: MAC src != ARP src for host 24.127.52.151
> > ARP: MAC src != ARP src for host 24.127.52.155
> > ARP: MAC src != ARP src for host 24.127.52.156
> > ARP: MAC src != ARP src for host 24.127.52.157
> > ARP: MAC src != ARP src for host 24.127.52.158
> > ARP: MAC src != ARP src for host 24.127.52.159
> > ARP: MAC src != ARP src for host 24.127.52.160
> > ARP: MAC src != ARP src for host 24.127.52.161
> > ARP: MAC src != ARP src for host 24.127.52.163
> > ARP: MAC src != ARP src for host 24.127.52.165
> > ARP: MAC src != ARP src for host 24.127.52.166
> > ARP: MAC src != ARP src for host 24.127.52.167
> > ARP: MAC src != ARP src for host 24.127.52.168
> > ARP: MAC src != ARP src for host 24.127.52.172
> > ARP: MAC src != ARP src for host 24.127.52.173
> > ARP: MAC src != ARP src for host 24.127.52.176
> > ARP: MAC src != ARP src for host 24.127.52.177
> > ARP: MAC src != ARP src for host 24.127.52.178
> > ARP: MAC src != ARP src for host 24.127.52.179
> > ARP: MAC src != ARP src for host 24.127.52.180
> > ARP: MAC src != ARP src for host 24.127.52.181
> > ARP: MAC src != ARP src for host 24.127.52.182
> > ARP: MAC src != ARP src for host 24.127.52.183
> > ARP: MAC src != ARP src for host 24.127.52.184
> > ARP: MAC src != ARP src for host 24.127.52.185
> > ARP: MAC src != ARP src for host 24.127.52.186
> > ARP: MAC src != ARP src for host 24.127.52.187
> > ARP: MAC src != ARP src for host 24.127.52.189
> > ARP: MAC src != ARP src for host 24.127.52.190
> > ARP: MAC src != ARP src for host 24.127.52.191
> > ARP: MAC src != ARP src for host 24.127.52.192
> > ARP: MAC src != ARP src for host 24.127.52.193
> > ARP: MAC src != ARP src for host 24.127.52.196
> > ARP: MAC src != ARP src for host 24.127.52.197
> > ARP: MAC src != ARP src for host 24.127.52.199
> > ARP: MAC src != ARP src for host 24.127.52.200
> > ARP: MAC src != ARP src for host 24.127.52.203
> > ARP: MAC src != ARP src for host 24.127.52.204
> > ARP: MAC src != ARP src for host 24.127.52.205
> > ARP: MAC src != ARP src for host 24.127.52.206
> > ARP: MAC src != ARP src for host 24.127.52.208
> > ARP: MAC src != ARP src for host 24.127.52.209
> > ARP: MAC src != ARP src for host 24.127.52.211
> > ARP: MAC src != ARP src for host 24.127.52.212
> > ARP: MAC src != ARP src for host 24.127.52.215
> > ARP: MAC src != ARP src for host 24.127.52.216
> > ARP: MAC src != ARP src for host 24.127.52.217
> > ARP: MAC src != ARP src for host 24.127.52.218
> > ARP: MAC src != ARP src for host 24.127.52.219
> > ARP: MAC src != ARP src for host 24.127.52.221
> > ARP: MAC src != ARP src for host 24.127.52.224
> > ARP: MAC src != ARP src for host 24.127.52.228
> > ARP: MAC src != ARP src for host 24.127.52.232
> > ARP: MAC src != ARP src for host 24.127.52.235
> > ARP: MAC src != ARP src for host 24.127.52.236
> > ARP: MAC src != ARP src for host 24.127.52.237
> > ARP: MAC src != ARP src for host 24.127.52.239
> > ARP: MAC src != ARP src for host 24.127.52.240
> > ARP: MAC src != ARP src for host 24.127.52.241
> > ARP: MAC src != ARP src for host 24.127.52.242
> > ARP: MAC src != ARP src for host 24.127.52.249
> > ARP: MAC src != ARP src for host 24.127.52.250
> > ARP: MAC src != ARP src for host 24.127.52.252
> > ARP: MAC src != ARP src for host 24.127.52.254
> > ARP: MAC src != ARP src for host 24.127.52.255
> >
> > I then tell hunt to report the collected MAC
> > addresses:
> >
> > --- mac table ---
> > 10.127.52.1              00:B0:8E:F7:3C:54
> > 24.127.52.1              00:B0:8E:F7:3C:54
> > 24.127.52.10             00:01:02:84:77:E2
> >
> > If I then poke through ethereal, any responses
> > (mostly
> > http responses) give the "Ethernet II" source MAC
> of
> > the router (and it resolves to the router's IP on
> > the
> > same line), and gives the "Internet Protocol"
> > Source:
> > as the responding machine.
> >
> > Helpful hints: It was explained to me during the
> > installation that I was the only one on my
> segment,
> > which is believable, considering my location. My
> > network mask is: 255.255.254.0
> >
> > The answer is sure to be staring me in the face,
> so
> > any slaps upside the head will be welcome. Can
> > anyone
> > tell me how to properly collect MAC addresses?
> >
> > Thanx,
> >
> > John
> >
> >
> >
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Games - play chess, backgammon, pool and
> more
> > http://games.yahoo.com/
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> >
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
>
http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/