Wireshark · Ethereal-users: Re: [Ethereal-users] (no subject)

Ethereal-users: Re: [Ethereal-users] (no subject)
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Rick Farina" <farinard@xxxxxxxxxx>
Date: Sun, 21 Apr 2002 17:25:50 -0400
A good way to properly search for MAC's is "arping"
http://freshmeat.net/projects/arping/?topic_id=150
I suggest you use that to find MAC's.....however, an important fact is that
anything outside of your router will have the MAC address of your router
(ARP is not routed).  Are all of those addresses on your side of the router?
or are they on the other side.  That is the most obvious conclusion that I
have (besides foul play).  Let me know if that's it....otherwise, we can try
to diagnose possible foul play.  ;-)

-Rick Farina
----- Original Message -----
From: "John E. Mayorga" <jmayorga5@xxxxxxxxx>
To: <ethereal-users@xxxxxxxxxxxx>
Sent: Sunday, April 21, 2002 16:35
Subject: [Ethereal-users] (no subject)


I'm on at&t @home service, and I've noticed some
strangeness in my subnet that I can't explain. I'm
sure someone here will know an obvious reason, so here
it goes.

I'm running on Red Hat 7.2 with an updated kernal from
Red Hat. Here is the output from "uname -a":

Linux ldap.athlon.com 2.4.9-31 #1 Tue Feb 26 06:23:51
EST 2002 i686 unknown

The results were gathered from three tools:
hunt 1.5 - for gathering MAC addresses
nmap V. 2.54BETA22 - for getting a response from
members of my subnet
ethereal 0.8.18 - general sniffing

OK, so here's the "thing" - everybody on my subnet has
the same MAC address, including my router. Yow!
Something I'm doing wrong, right? Well, let's see:

First, I fire up hunt and tell it to collect MAC
addresses. While hunt is doing its job, I run "
nmap -sP 24.127.52.*". Hunt reports the following
while running:

ARP: MAC src != ARP src for host 24.127.52.3
ARP: MAC src != ARP src for host 24.127.52.4
ARP: MAC src != ARP src for host 24.127.52.5
ARP: MAC src != ARP src for host 24.127.52.6
ARP: MAC src != ARP src for host 24.127.52.7
ARP: MAC src != ARP src for host 24.127.52.8
ARP: MAC src != ARP src for host 24.127.52.9
ARP: MAC src != ARP src for host 24.127.52.11
ARP: MAC src != ARP src for host 24.127.52.12
ARP: MAC src != ARP src for host 24.127.52.16
ARP: MAC src != ARP src for host 24.127.52.17
ARP: MAC src != ARP src for host 24.127.52.20
ARP: MAC src != ARP src for host 24.127.52.21
ARP: MAC src != ARP src for host 24.127.52.22
ARP: MAC src != ARP src for host 24.127.52.23
ARP: MAC src != ARP src for host 24.127.52.24
ARP: MAC src != ARP src for host 24.127.52.26
ARP: MAC src != ARP src for host 24.127.52.29
ARP: MAC src != ARP src for host 24.127.52.47
ARP: MAC src != ARP src for host 24.127.52.48
ARP: MAC src != ARP src for host 24.127.52.49
ARP: MAC src != ARP src for host 24.127.52.51
ARP: MAC src != ARP src for host 24.127.52.52
ARP: MAC src != ARP src for host 24.127.52.53
ARP: MAC src != ARP src for host 24.127.52.55
ARP: MAC src != ARP src for host 24.127.52.57
ARP: MAC src != ARP src for host 24.127.52.58
ARP: MAC src != ARP src for host 24.127.52.60
ARP: MAC src != ARP src for host 24.127.52.61
ARP: MAC src != ARP src for host 24.127.52.62
ARP: MAC src != ARP src for host 24.127.52.64
ARP: MAC src != ARP src for host 24.127.52.65
ARP: MAC src != ARP src for host 24.127.52.31
ARP: MAC src != ARP src for host 24.127.52.33
ARP: MAC src != ARP src for host 24.127.52.37
ARP: MAC src != ARP src for host 24.127.52.38
ARP: MAC src != ARP src for host 24.127.52.39
ARP: MAC src != ARP src for host 24.127.52.67
ARP: MAC src != ARP src for host 24.127.52.68
ARP: MAC src != ARP src for host 24.127.52.69
ARP: MAC src != ARP src for host 24.127.52.70
ARP: MAC src != ARP src for host 24.127.52.72
ARP: MAC src != ARP src for host 24.127.52.74
ARP: MAC src != ARP src for host 24.127.52.75
ARP: MAC src != ARP src for host 24.127.52.78
ARP: MAC src != ARP src for host 24.127.52.41
ARP: MAC src != ARP src for host 24.127.52.42
ARP: MAC src != ARP src for host 24.127.52.44
ARP: MAC src != ARP src for host 24.127.52.80
ARP: MAC src != ARP src for host 24.127.52.82
ARP: MAC src != ARP src for host 24.127.52.85
ARP: MAC src != ARP src for host 24.127.52.86
ARP: MAC src != ARP src for host 24.127.52.87
ARP: MAC src != ARP src for host 24.127.52.88
ARP: MAC src != ARP src for host 24.127.52.89
ARP: MAC src != ARP src for host 24.127.52.90
ARP: MAC src != ARP src for host 24.127.52.91
ARP: MAC src != ARP src for host 24.127.52.92
ARP: MAC src != ARP src for host 24.127.52.93
ARP: MAC src != ARP src for host 24.127.52.95
ARP: MAC src != ARP src for host 24.127.52.97
ARP: MAC src != ARP src for host 24.127.52.98
ARP: MAC src != ARP src for host 24.127.52.99
ARP: MAC src != ARP src for host 24.127.52.100
ARP: MAC src != ARP src for host 24.127.52.101
ARP: MAC src != ARP src for host 24.127.52.103
ARP: MAC src != ARP src for host 24.127.52.105
ARP: MAC src != ARP src for host 24.127.52.107
ARP: MAC src != ARP src for host 24.127.52.108
ARP: MAC src != ARP src for host 24.127.52.109
ARP: MAC src != ARP src for host 24.127.52.110
ARP: MAC src != ARP src for host 24.127.52.111
ARP: MAC src != ARP src for host 24.127.52.114
ARP: MAC src != ARP src for host 24.127.52.115
ARP: MAC src != ARP src for host 24.127.52.116
ARP: MAC src != ARP src for host 24.127.52.117
ARP: MAC src != ARP src for host 24.127.52.118
ARP: MAC src != ARP src for host 24.127.52.119
ARP: MAC src != ARP src for host 24.127.52.120
ARP: MAC src != ARP src for host 24.127.52.121
ARP: MAC src != ARP src for host 24.127.52.122
ARP: MAC src != ARP src for host 24.127.52.123
ARP: MAC src != ARP src for host 24.127.52.124
ARP: MAC src != ARP src for host 24.127.52.125
ARP: MAC src != ARP src for host 24.127.52.126
ARP: MAC src != ARP src for host 24.127.52.130
ARP: MAC src != ARP src for host 24.127.52.131
ARP: MAC src != ARP src for host 24.127.52.133
ARP: MAC src != ARP src for host 24.127.52.134
ARP: MAC src != ARP src for host 24.127.52.136
ARP: MAC src != ARP src for host 24.127.52.142
ARP: MAC src != ARP src for host 24.127.52.146
ARP: MAC src != ARP src for host 24.127.52.149
ARP: MAC src != ARP src for host 24.127.52.151
ARP: MAC src != ARP src for host 24.127.52.155
ARP: MAC src != ARP src for host 24.127.52.156
ARP: MAC src != ARP src for host 24.127.52.157
ARP: MAC src != ARP src for host 24.127.52.158
ARP: MAC src != ARP src for host 24.127.52.159
ARP: MAC src != ARP src for host 24.127.52.160
ARP: MAC src != ARP src for host 24.127.52.161
ARP: MAC src != ARP src for host 24.127.52.163
ARP: MAC src != ARP src for host 24.127.52.165
ARP: MAC src != ARP src for host 24.127.52.166
ARP: MAC src != ARP src for host 24.127.52.167
ARP: MAC src != ARP src for host 24.127.52.168
ARP: MAC src != ARP src for host 24.127.52.172
ARP: MAC src != ARP src for host 24.127.52.173
ARP: MAC src != ARP src for host 24.127.52.176
ARP: MAC src != ARP src for host 24.127.52.177
ARP: MAC src != ARP src for host 24.127.52.178
ARP: MAC src != ARP src for host 24.127.52.179
ARP: MAC src != ARP src for host 24.127.52.180
ARP: MAC src != ARP src for host 24.127.52.181
ARP: MAC src != ARP src for host 24.127.52.182
ARP: MAC src != ARP src for host 24.127.52.183
ARP: MAC src != ARP src for host 24.127.52.184
ARP: MAC src != ARP src for host 24.127.52.185
ARP: MAC src != ARP src for host 24.127.52.186
ARP: MAC src != ARP src for host 24.127.52.187
ARP: MAC src != ARP src for host 24.127.52.189
ARP: MAC src != ARP src for host 24.127.52.190
ARP: MAC src != ARP src for host 24.127.52.191
ARP: MAC src != ARP src for host 24.127.52.192
ARP: MAC src != ARP src for host 24.127.52.193
ARP: MAC src != ARP src for host 24.127.52.196
ARP: MAC src != ARP src for host 24.127.52.197
ARP: MAC src != ARP src for host 24.127.52.199
ARP: MAC src != ARP src for host 24.127.52.200
ARP: MAC src != ARP src for host 24.127.52.203
ARP: MAC src != ARP src for host 24.127.52.204
ARP: MAC src != ARP src for host 24.127.52.205
ARP: MAC src != ARP src for host 24.127.52.206
ARP: MAC src != ARP src for host 24.127.52.208
ARP: MAC src != ARP src for host 24.127.52.209
ARP: MAC src != ARP src for host 24.127.52.211
ARP: MAC src != ARP src for host 24.127.52.212
ARP: MAC src != ARP src for host 24.127.52.215
ARP: MAC src != ARP src for host 24.127.52.216
ARP: MAC src != ARP src for host 24.127.52.217
ARP: MAC src != ARP src for host 24.127.52.218
ARP: MAC src != ARP src for host 24.127.52.219
ARP: MAC src != ARP src for host 24.127.52.221
ARP: MAC src != ARP src for host 24.127.52.224
ARP: MAC src != ARP src for host 24.127.52.228
ARP: MAC src != ARP src for host 24.127.52.232
ARP: MAC src != ARP src for host 24.127.52.235
ARP: MAC src != ARP src for host 24.127.52.236
ARP: MAC src != ARP src for host 24.127.52.237
ARP: MAC src != ARP src for host 24.127.52.239
ARP: MAC src != ARP src for host 24.127.52.240
ARP: MAC src != ARP src for host 24.127.52.241
ARP: MAC src != ARP src for host 24.127.52.242
ARP: MAC src != ARP src for host 24.127.52.249
ARP: MAC src != ARP src for host 24.127.52.250
ARP: MAC src != ARP src for host 24.127.52.252
ARP: MAC src != ARP src for host 24.127.52.254
ARP: MAC src != ARP src for host 24.127.52.255

I then tell hunt to report the collected MAC
addresses:

--- mac table ---
10.127.52.1              00:B0:8E:F7:3C:54
24.127.52.1              00:B0:8E:F7:3C:54
24.127.52.10             00:01:02:84:77:E2

If I then poke through ethereal, any responses (mostly
http responses) give the "Ethernet II" source MAC of
the router (and it resolves to the router's IP on the
same line), and gives the "Internet Protocol" Source:
as the responding machine.

Helpful hints: It was explained to me during the
installation that I was the only one on my segment,
which is believable, considering my location. My
network mask is: 255.255.254.0

The answer is sure to be staring me in the face, so
any slaps upside the head will be welcome. Can anyone
tell me how to properly collect MAC addresses?

Thanx,

John







__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Follow-Ups:
- Re: [Ethereal-users] (no subject)
  - From: John E. Mayorga
References:
- [Ethereal-users] (no subject)
  - From: John E. Mayorga
Prev by Date: [Ethereal-users] (no subject)
Next by Date: Re: [Ethereal-users] (no subject)
Previous by thread: [Ethereal-users] (no subject)
Next by thread: Re: [Ethereal-users] (no subject)
Index(es):
- Date
- Thread
Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark
Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application
$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$