Ethereal-users: Re: [Ethereal-users] Wierdness in CablemodemLand?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 22 Apr 2002 02:03:56 -0700
On Mon, Apr 22, 2002 at 01:27:48AM -0700, John E. Mayorga wrote:
> ARPING 24.127.52.5 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.5 [00:10:4C:12:30:1E] 
> 9.774ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)

Well, the probe is:

	Frame 38 (42 on wire, 42 captured)
	Ethernet II
	    Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
	    Source: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Type: ARP (0x0806)
	Address Resolution Protocol (request)
	    Hardware type: Ethernet (0x0001)
	    Protocol type: IP (0x0800)
	    Hardware size: 6
	    Protocol size: 4
	    Opcode: request (0x0001)
	    Sender MAC address: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Sender IP address: 24.127.52.10 (24.127.52.10)
	    Target MAC address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
	    Target IP address: 24.127.52.5 (24.127.52.5)

So your machine has an IP address of 24.127.52.10 and a MAC address on
eth0 of 00:01:02:84:77:e2.

The response is:

	Frame 39 (60 on wire, 60 captured)
	Ethernet II
	    Destination: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Source: 00:b0:8e:f7:3c:54 (00:b0:8e:f7:3c:54)
	    Type: ARP (0x0806)
	    Trailer: 00000000000000000000000000000000...
	Address Resolution Protocol (reply)
	    Hardware type: Ethernet (0x0001)
	    Protocol type: IP (0x0800)
	    Hardware size: 6
	    Protocol size: 4
	    Opcode: reply (0x0002)
	    Sender MAC address: 00:10:4c:12:30:1e (00:10:4c:12:30:1e)
	    Sender IP address: 24.127.52.5 (24.127.52.5)
	    Target MAC address: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Target IP address: 24.127.52.10 (24.127.52.10)

The packet was put onto your Ethernet by 00:b0:8e:f7:3c:54, even though
the packet reports that the MAC address of 24.127.52.5 is
00:10:4c:12:30:1e.

I.e., that packet was routed to you through a machine with a MAC
address, for the interface on your network segment, of
00:b0:8e:f7:3c:54.

If we look at the packet where your machine ARPs for the MAC address fo
24.127.52.1 - i.e., the router - we see

	Frame 22 (42 on wire, 42 captured)
	Ethernet II
	    Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
	    Source: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Type: ARP (0x0806)
	Address Resolution Protocol (request)
	    Hardware type: Ethernet (0x0001)
	    Protocol type: IP (0x0800)
	    Hardware size: 6
	    Protocol size: 4
	    Opcode: request (0x0001)
	    Sender MAC address: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Sender IP address: 24.127.52.10 (24.127.52.10)
	    Target MAC address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
	    Target IP address: 24.127.52.1 (24.127.52.1)

with a reply of

	Frame 23 (60 on wire, 60 captured)
	Ethernet II
	    Destination: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Source: 00:b0:8e:f7:3c:54 (00:b0:8e:f7:3c:54)
	    Type: ARP (0x0806)
	    Trailer: 00000000000000000000000000000000...
	Address Resolution Protocol (reply)
	    Hardware type: Ethernet (0x0001)
	    Protocol type: IP (0x0800)
	    Hardware size: 6
	    Protocol size: 4
	    Opcode: reply (0x0002)
	    Sender MAC address: 00:b0:8e:f7:3c:54 (00:b0:8e:f7:3c:54)
	    Sender IP address: 24.127.52.1 (24.127.52.1)
	    Target MAC address: 00:01:02:84:77:e2 (00:01:02:84:77:e2)
	    Target IP address: 24.127.52.10 (24.127.52.10)

so yes, indeed, 24.127.52.1 is 00:b0:8e:f7:3c:54.

So this is *very* odd - some piece of hardware on AT&T Broadband's
network is acting as an odd sort of bridge.  ARP packets aren't IP
packets, so they can't be routed as IP packets; however, the ARP reply
isn't getting bridged in a conventional sense, because the MAC address
of the ARP reply is *NOT* the MAC address of the machine that originally
sent the reply, it's the MAC address of your router.