Ethereal-dev: Re: [Ethereal-dev] HW address resolving mechanism

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "James V. Fields" <jvfields@xxxxxxx>
Date: Thu, 20 Jan 2005 07:20:19 -0500
This column only resolves the hardware address to a display that
includes the manufacturer's name.  It does not attempt to match a MAC
address to an IP address.  Even if you line this up next to a "network
address" column, what you're seeing is a result of how layer 2 packet
forwarding works - any packets coming from the other side of a router
(from the sniffer's perspective) will show a source MAC of the local
router interface, which will also be the destination MAC for packets
destined for machines outside the local net.  This is a fairly basic
layer 2 / layer 3 networking concept worth reviewing.  You may want to
check out the excellent Sniffing FAQ by Robert Graham.  His site seems
to be down, but here is a link to another site hosting the file:
http://linuxsecurity.net/resource_files/intrusion_detection/sniffing-faq.html


Jaap Keuter wrote:

Hello list,

I've run into trouble with the Hardware to IP address resolution mechanism
in Ethereal (check the column Hardware address resolved). It gets confused
if multiple LAN's (VLAN's) are present on the same wire. An interface
seems to get related to the first IP address seen on a packet from that
interface. Can anyone point me to where this resolution mechanism is, and
where it gets its knowledge from?

Thanx,
Jaap



_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev