Ethereal-users: Re: [Ethereal-users] Always! the same two Physical addresses:

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "James Fields" <jvfields@xxxxxxx>
Date: Sat, 15 Feb 2003 09:06:22 -0500
Sorry, I'm confused - you're sniffing using the DEC and the server is a
Gateway and you're both on the same switch? I assume you want to watch the
Gateway talking to other places?  If my assumptions are wrong you can skip
the rest of this :-)

In that case, if you span (or mirror, or monitor) the Gateway's switch port
over to the DEC, you'll see that every packet has the Gateway's MAC address
as either the source or destination (excepting broadcasts).

Whether or not you will see the MAC addresses of the other machines
conversing with the Gateway depends upon where they are.  If they are on the
same network segment as the Gateway, you'll be able to see their MACs.
However, if they are off-segment (somewhere on the Internet, who knows) the
MAC address you see for all of them will likely be the MAC address from the
INSIDE interface of the DSL router.  This is not an error, or a problem with
Ethereal - it's normal behavior and Ethereal is just revealing it more
clearly than you might have ever seen it before.

Remember - MACs are not meant to be "end-to-end" addressesing - they are
Layer 2 controls to track who put a packet on the wire and who is allowed to
pluck it off.  In other words, MAC addresses are hop-to-hop.  If the Gateway
needs to send anything to anyone off segment, he has to forward it to the
MAC address of the DSL router's inside interface for delivery.  And anything
that comes in from the Internet on the way back to the Gateway is delivered
by that same interface.

----- Original Message -----
From: "Reaper" <Reaper@xxxxxxxxxx>
To: <ethereal-users@xxxxxxxxxxxx>
Sent: Saturday, February 15, 2003 4:00 AM
Subject: [Ethereal-users] Always! the same two Physical addresses:


>
> 10:07:43.396386 0:50:ba:d8:4c:7 0:10:67:0:d1:6f ip 106:
>
> 17:27:56.807385 0:10:67:0:d1:6f 0:50:ba:d8:4c:7 ip 1514:
> news-west.giganews.com.nntp
>
> 17:30:50.990596 0:50:ba:d8:4c:7 0:10:67:0:d1:6f ip 66: www.
>
> 17:38:03.206209 0:50:ba:d8:4c:7 0:10:67:0:d1:6f ip 66: www.
>
> 17:38:03.214898 0:10:67:0:d1:6f 0:50:ba:d8:4c:7 ip 1514:
> news-west.giganews.com.nntp
>
> Promiscious Linux sniffer (DEC Alpha machine with no public IP address)
> plugged in to a 10/100 Megabit switch along with the Gateway Win200
> Server, and the DSL Modem.
>
> Am processing the tcp dumped ethereal files with perl script. amd I just
> not able to truly get the Phys address of the remote machine
>
> --
> Cheers
> T.G Reaper
> **********
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>