Ethereal-users: Re: [Ethereal-users] Wierdness in CablemodemLand?
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "John E. Mayorga" <jmayorga5@xxxxxxxxx>
Date: Mon, 22 Apr 2002 01:17:51 -0700 (PDT)
So I am going through a router to get to anyone else on my subnet, or anyone else at all, for that matter. Arping seems to be the only tool that will give the real MACs associated with the IPs instead of the router's. John --- Guy Harris <gharris@xxxxxxxxx> wrote: > On Sun, Apr 21, 2002 at 10:12:07PM -0700, John E. > Mayorga wrote: > > I used pretty much the same script for ARPing > 1.04. > > Here is the output (which makes sense): > > > > ARPING 24.127.52.1 from 24.127.52.10 eth0 > > Unicast reply from 24.127.52.1 [00:B0:8E:F7:3C:54] > > > 8.803ms > > Sent 1 probes (1 broadcast(s)) > > Received 1 response(s) > > > > ARPING 24.127.52.2 from 24.127.52.10 eth0 > > Unicast reply from 24.127.52.2 [00:D0:09:61:D7:2F] > > > 9.601ms > > Sent 1 probes (1 broadcast(s)) > > Received 1 response(s) > > So what does the traffic sent out by ARPing, and the > replies it gets > back, look like? > > For example, if it sends out a ARP request asking > what the MAC address > is for 24.127.52.9, what's the MAC address of the > machine that responds? > (I.e., is it that machine, which would indicate that > packets get bridged > directly to that machine, or is the router just > handing you the MAC > address information it has, which would indicate > that they get routed to > that machine?) > > > ARPING 24.127.52.10 from 24.127.52.10 eth0 > > Sent 1 probes (1 broadcast(s)) > > Received 0 response(s) > > ARPING 24.127.52.11 from 24.127.52.10 eth0 > > Unicast reply from 24.127.52.11 > [00:04:5A:2A:A1:5A] > > 57.094ms > > Sent 1 probes (1 broadcast(s)) > > Received 1 response(s) > > I assume 00:04:5a:2a:a1:5a is the MAC address of > your machine? > > > ARPING 24.127.52.15 from 24.127.52.10 eth0 > > Sent 1 probes (1 broadcast(s)) > > Received 0 response(s) > > That machine may be powered down, or nonexistent, > so, if it's the router > that's sending out the ARP replies, you won't get a > response. > > > If I try to collect MAC addresses using Hunt 1.5 > to > > collect MAC addresses, while sending out a "nmap > -sP > > 24.127.52.*", the following is reported by Hunt, > as if > > it was indicating an error: > > > > ARP: MAC src != ARP src for host 24.127.52.3 > > > > > > ARP: MAC src != ARP src for host 24.127.52.4 > > > > If I poke through the > > traffice that I had generated with the "nmap -sP > > 24.127.52.*" using Ethereal, any responses from > the > > machines nmap was communicating with (mostly http > > responses) gives the following Layer 2 info: > > > > For "Ethernet II" it gives the MAC of the router > (and > > it resolves to the router's IP on the same line) > > ...which suggests that traffic to those machines > gets routed through the > router, rather than bridged to those machines. > > I.e., the packet nmap sends to the machine goes out > with the source MAC > address of your machine, and with the router's MAC > address as the > destination MAC address. The packet is received by > the router, and > forwarded to the other machine; it sends the reply > to your IP address, > but sends the reply to the router, which receives it > and forwards it to > your machine, so that the reply arrives at your > machine with the > *router's* MAC address as the source MAC address. > > Ethernet isn't a routed protocol, so Ethernet > addresses are *not* > preserved when a packet is routed. (They're > preserved if the packet is > bridged, but it appears that packets aren't being > bridged.) > > > For the IP layer on the "Internet Protocol" line > it > > gives Source: as the machine nmap was > communicating > > with at the time. > > ...which is exactly as it should be. __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/
- References:
- Re: [Ethereal-users] Wierdness in CablemodemLand?
- From: Guy Harris
- Re: [Ethereal-users] Wierdness in CablemodemLand?
- Prev by Date: Re: [Ethereal-users] Wierdness in CablemodemLand?
- Next by Date: Re: [Ethereal-users] Wierdness in CablemodemLand?
- Previous by thread: Re: [Ethereal-users] Wierdness in CablemodemLand?
- Next by thread: Re: [Ethereal-users] Wierdness in CablemodemLand?
- Index(es):