Wireshark-users: Re: [Wireshark-users] Ping Replys without Request

From: Petr Vácha <vacha@xxxxxxxxxxx>
Date: Wed, 30 Aug 2006 14:59:33 +0200
No, I mean MAC addresses that are present in the ICMP replies.... if they really belong to devices involved or are different.

Petr 

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx 
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of 
> STEINECKE Michael SD-G (AREVA NP GmbH)
> Sent: Wednesday, August 30, 2006 2:57 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Ping Replys without Request
> 
> Hello Petr,
> 
> you mean if displayed the MAC-adress resolution instead of 
> the MAC-adress?
> Then thea answer is yes. But this is only a setting in 
> wireshark i think.
> 
> Michael Steinecke
> 
> > -----Ursprüngliche Nachricht-----
> > Von: wireshark-users-bounces@xxxxxxxxxxxxx 
> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] Im Auftrag von 
> > Petr Vácha
> > Gesendet: Dienstag, 29. August 2006 10:51
> > An: Community support list for Wireshark
> > Betreff: Re: [Wireshark-users] Ping Replys without Request
> > 
> > Hello,
> > we have come up with the similar problem once, but I need you 
> > to answer the following question to see if it's really the 
> > same situation:
> > 
> > Are MAC address in the ICMP packet really present in your 
> > network or are they something like DigitalEquipment_00-02-01 
> > (one such is the source and one is the destination)? 
> > 
> > Petr Vacha
> > 
> > > -----Original Message-----
> > > From: wireshark-users-bounces@xxxxxxxxxxxxx
> > > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of 
> > Jim Young
> > > Sent: Monday, August 28, 2006 5:25 PM
> > > To: wireshark-users@xxxxxxxxxxxxx
> > > Subject: Re: [Wireshark-users] Ping Replys without Request
> > > 
> > > Hello Michael,
> > > 
> > > >>> "STEINECKE Michael SD-G (AREVA NP GmbH)"
> > > <Michael.Steinecke@xxxxxxxxx> 08/28/06 4:33 AM >>>
> > > > Hello folks,
> > > > 
> > > > i've a bit strange issue in the communication between a 
> Server and
> > > his
> > > > client (a microcontroler).
> > > > The controler send "Echo Reply" packets without a corresponding
> > > ICMP
> > > > requests. Is there another way how this can happen then 
> an program
> > > or
> > > > firmware error? Something like an TCP packet that 
> requests a ICMP
> > > Echo
> > > > par example?
> > > > 
> > > > Best Regards
> > > > Michael Steinecke
> > > 
> > > Does you controller have multiple NIC interfaces?  If so, then 
> > > depending on how you've set up your route statements on the 
> > controller 
> > > (assuming that you can) it's possible that replies received 
> > on one NIC 
> > > interface will be returned out a different
> > > NIC interface.   IP addresses more than one hop away could 
> > > be taking a "default" route (out the NIC interface towards your 
> > > server).
> > > 
> > > Take a look at the destination IP address (where the ping 
> reply is 
> > > supposed to go to) and the destination MAC address for the 
> > ping reply.  
> > > This should give you a clue on who/what might be generating the 
> > > original request.
> > > 
> > > Then again if it's some type of specialized controller, then I 
> > > wouldn't be surprised to see the vendor doing something 
> > non-conventual 
> > > like using ICMP echo replies to send signalling
> > > information to some other station(s).   
> > > 
> > > I've also seen some devices that use an an undocumented 
> private NIC 
> > > setup internally.  I've had a few occasions where these back-end 
> > > packets have leaked out the one public NIC.
> > > 
> > > I hope this find this useful.
> > > 
> > > Jim Young
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Wireshark-users mailing list
> > > Wireshark-users@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-users
> > > 
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> > 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>