On Mon, Apr 22, 2002 at 02:03:56AM -0700, Guy Harris wrote:
> so yes, indeed, 24.127.52.1 is 00:b0:8e:f7:3c:54.
>
> So this is *very* odd - some piece of hardware on AT&T Broadband's
> network is acting as an odd sort of bridge.
Well, according to Ethereal's "manuf" file, 00:b0:8e belongs to Cisco,
so it's a piece of Cisco hardware - perhaps one of their "Universal
Broadband Router" boxes:
http://www.cisco.com/warp/public/44/jump/cable.shtml
I suspect it's a machine that acts sort of like a router and sort of
like a switch, and that:
all packets sent out by users attached to cable modems on your
network segment get sent to that machine, regardless of the
destination MAC address of the packet;
if the packet is for another machine on your network segment,
then:
if the machine has the MAC address for that machine,
it'll re-transmit the packet to that machine - but with
the MAC address of the machine as the source MAC
address;
if the machine doesn't have the MAC address for that
machine, it'll ARP for it and:
if it gets the MAC address, it'll send it as
described above;
if it doesn't get the MAC address (times out),
then, if the packet is an IP packet, it'll send
a Host Unreachable ICMP packet to the sending
host, with the *sender's* IP address as the
source address (otherwise, it might just drop
the packet on the floor);
and that forwarding process is, at least for IP packets, treated
as *routing*, not switching, so that it'll decrement the IP TTL
of the packet and send out an ICMP message if the TTL drops to
0, with the *router's* IP address as the source address;
If that's the behavior, this would mean that:
if you ARP for another machine, the ARP reply will have the
*router's* MAC address as the source MAC address in the Ethernet
header;
if you send a packet to a machine on your network segment and
that machine isn't up, you'll get back an ICMP Host Unreachable
message that looks as if it came from yourself (so "traceroute"
will report *your* machine as the first and only network hop);
if you send a packet to a machine on your network segment and
the machine *is* up, *but* the TTL in the packet is 1, you'll
get back an ICMP time-to-live exceeded message that looks as if
it came from the *route* (so "traceroute" will report the
*router* as the first network hop);
if you send a packet to a machine on your network segment and
the machine is up, and the TTL in the packet is > 1, the packet
will be routed (so "traceroute" will report whatever machine
next returns an ICMP message as the next network hop).
If that's the machine's behavior, I have no idea why that's the
behavior.