Ethereal-users: Re: [Ethereal-users] (no subject)
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "John E. Mayorga" <jmayorga5@xxxxxxxxx>
Date: Sun, 21 Apr 2002 15:58:17 -0700 (PDT)
Rick, I installed arping and created a little script to run through the subnet. Here is the output: ARPING 24.127.52.1 from 24.127.52.10 eth0 Unicast reply from 24.127.52.1 [00:B0:8E:F7:3C:54] 8.803ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.2 from 24.127.52.10 eth0 Unicast reply from 24.127.52.2 [00:D0:09:61:D7:2F] 9.601ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.3 from 24.127.52.10 eth0 Unicast reply from 24.127.52.3 [00:04:5A:41:2C:F3] 51.540ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.4 from 24.127.52.10 eth0 Unicast reply from 24.127.52.4 [00:02:E3:03:C4:E0] 9.096ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.5 from 24.127.52.10 eth0 Unicast reply from 24.127.52.5 [00:10:4C:12:30:1E] 9.515ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.6 from 24.127.52.10 eth0 Unicast reply from 24.127.52.6 [00:03:47:DB:D7:13] 31.087ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.7 from 24.127.52.10 eth0 Unicast reply from 24.127.52.7 [00:00:C5:3C:9A:32] 12.555ms Sent 1 probes (1 broadcast(s)) Received 1 response(s) ARPING 24.127.52.8 from 24.127.52.10 eth0 Sent 1 probes (1 broadcast(s)) Received 0 response(s) ... These MACs are different than the ones reported before by hunt and ethereal. Is it that all my traffic is coming through the router, even that of the other members of my subnet, so other programs are reporting the router's MAC? John --- Rick Farina <farinard@xxxxxxxxxx> wrote: > A good way to properly search for MAC's is "arping" > http://freshmeat.net/projects/arping/?topic_id=150 > I suggest you use that to find MAC's.....however, an > important fact is that > anything outside of your router will have the MAC > address of your router > (ARP is not routed). Are all of those addresses on > your side of the router? > or are they on the other side. That is the most > obvious conclusion that I > have (besides foul play). Let me know if that's > it....otherwise, we can try > to diagnose possible foul play. ;-) > > -Rick Farina > ----- Original Message ----- > From: "John E. Mayorga" <jmayorga5@xxxxxxxxx> > To: <ethereal-users@xxxxxxxxxxxx> > Sent: Sunday, April 21, 2002 16:35 > Subject: [Ethereal-users] (no subject) > > > I'm on at&t @home service, and I've noticed some > strangeness in my subnet that I can't explain. I'm > sure someone here will know an obvious reason, so > here > it goes. > > I'm running on Red Hat 7.2 with an updated kernal > from > Red Hat. Here is the output from "uname -a": > > Linux ldap.athlon.com 2.4.9-31 #1 Tue Feb 26 > 06:23:51 > EST 2002 i686 unknown > > The results were gathered from three tools: > hunt 1.5 - for gathering MAC addresses > nmap V. 2.54BETA22 - for getting a response from > members of my subnet > ethereal 0.8.18 - general sniffing > > OK, so here's the "thing" - everybody on my subnet > has > the same MAC address, including my router. Yow! > Something I'm doing wrong, right? Well, let's see: > > First, I fire up hunt and tell it to collect MAC > addresses. While hunt is doing its job, I run " > nmap -sP 24.127.52.*". Hunt reports the following > while running: > > ARP: MAC src != ARP src for host 24.127.52.3 > ARP: MAC src != ARP src for host 24.127.52.4 > ARP: MAC src != ARP src for host 24.127.52.5 > ARP: MAC src != ARP src for host 24.127.52.6 > ARP: MAC src != ARP src for host 24.127.52.7 > ARP: MAC src != ARP src for host 24.127.52.8 > ARP: MAC src != ARP src for host 24.127.52.9 > ARP: MAC src != ARP src for host 24.127.52.11 > ARP: MAC src != ARP src for host 24.127.52.12 > ARP: MAC src != ARP src for host 24.127.52.16 > ARP: MAC src != ARP src for host 24.127.52.17 > ARP: MAC src != ARP src for host 24.127.52.20 > ARP: MAC src != ARP src for host 24.127.52.21 > ARP: MAC src != ARP src for host 24.127.52.22 > ARP: MAC src != ARP src for host 24.127.52.23 > ARP: MAC src != ARP src for host 24.127.52.24 > ARP: MAC src != ARP src for host 24.127.52.26 > ARP: MAC src != ARP src for host 24.127.52.29 > ARP: MAC src != ARP src for host 24.127.52.47 > ARP: MAC src != ARP src for host 24.127.52.48 > ARP: MAC src != ARP src for host 24.127.52.49 > ARP: MAC src != ARP src for host 24.127.52.51 > ARP: MAC src != ARP src for host 24.127.52.52 > ARP: MAC src != ARP src for host 24.127.52.53 > ARP: MAC src != ARP src for host 24.127.52.55 > ARP: MAC src != ARP src for host 24.127.52.57 > ARP: MAC src != ARP src for host 24.127.52.58 > ARP: MAC src != ARP src for host 24.127.52.60 > ARP: MAC src != ARP src for host 24.127.52.61 > ARP: MAC src != ARP src for host 24.127.52.62 > ARP: MAC src != ARP src for host 24.127.52.64 > ARP: MAC src != ARP src for host 24.127.52.65 > ARP: MAC src != ARP src for host 24.127.52.31 > ARP: MAC src != ARP src for host 24.127.52.33 > ARP: MAC src != ARP src for host 24.127.52.37 > ARP: MAC src != ARP src for host 24.127.52.38 > ARP: MAC src != ARP src for host 24.127.52.39 > ARP: MAC src != ARP src for host 24.127.52.67 > ARP: MAC src != ARP src for host 24.127.52.68 > ARP: MAC src != ARP src for host 24.127.52.69 > ARP: MAC src != ARP src for host 24.127.52.70 > ARP: MAC src != ARP src for host 24.127.52.72 > ARP: MAC src != ARP src for host 24.127.52.74 > ARP: MAC src != ARP src for host 24.127.52.75 > ARP: MAC src != ARP src for host 24.127.52.78 > ARP: MAC src != ARP src for host 24.127.52.41 > ARP: MAC src != ARP src for host 24.127.52.42 > ARP: MAC src != ARP src for host 24.127.52.44 > ARP: MAC src != ARP src for host 24.127.52.80 > ARP: MAC src != ARP src for host 24.127.52.82 > ARP: MAC src != ARP src for host 24.127.52.85 > ARP: MAC src != ARP src for host 24.127.52.86 > ARP: MAC src != ARP src for host 24.127.52.87 > ARP: MAC src != ARP src for host 24.127.52.88 > ARP: MAC src != ARP src for host 24.127.52.89 > ARP: MAC src != ARP src for host 24.127.52.90 > ARP: MAC src != ARP src for host 24.127.52.91 > ARP: MAC src != ARP src for host 24.127.52.92 > ARP: MAC src != ARP src for host 24.127.52.93 > ARP: MAC src != ARP src for host 24.127.52.95 > ARP: MAC src != ARP src for host 24.127.52.97 > ARP: MAC src != ARP src for host 24.127.52.98 > ARP: MAC src != ARP src for host 24.127.52.99 > ARP: MAC src != ARP src for host 24.127.52.100 > ARP: MAC src != ARP src for host 24.127.52.101 > ARP: MAC src != ARP src for host 24.127.52.103 > ARP: MAC src != ARP src for host 24.127.52.105 > ARP: MAC src != ARP src for host 24.127.52.107 > ARP: MAC src != ARP src for host 24.127.52.108 > ARP: MAC src != ARP src for host 24.127.52.109 > ARP: MAC src != ARP src for host 24.127.52.110 > ARP: MAC src != ARP src for host 24.127.52.111 > ARP: MAC src != ARP src for host 24.127.52.114 > ARP: MAC src != ARP src for host 24.127.52.115 > ARP: MAC src != ARP src for host 24.127.52.116 > ARP: MAC src != ARP src for host 24.127.52.117 > ARP: MAC src != ARP src for host 24.127.52.118 > ARP: MAC src != ARP src for host 24.127.52.119 > ARP: MAC src != ARP src for host 24.127.52.120 > ARP: MAC src != ARP src for host 24.127.52.121 > ARP: MAC src != ARP src for host 24.127.52.122 > ARP: MAC src != ARP src for host 24.127.52.123 > ARP: MAC src != ARP src for host 24.127.52.124 > ARP: MAC src != ARP src for host 24.127.52.125 > ARP: MAC src != ARP src for host 24.127.52.126 > ARP: MAC src != ARP src for host 24.127.52.130 > ARP: MAC src != ARP src for host 24.127.52.131 > ARP: MAC src != ARP src for host 24.127.52.133 > ARP: MAC src != ARP src for host 24.127.52.134 > ARP: MAC src != ARP src for host 24.127.52.136 > ARP: MAC src != ARP src for host 24.127.52.142 > ARP: MAC src != ARP src for host 24.127.52.146 > ARP: MAC src != ARP src for host 24.127.52.149 > ARP: MAC src != ARP src for host 24.127.52.151 > ARP: MAC src != ARP src for host 24.127.52.155 > ARP: MAC src != ARP src for host 24.127.52.156 > ARP: MAC src != ARP src for host 24.127.52.157 > ARP: MAC src != ARP src for host 24.127.52.158 > ARP: MAC src != ARP src for host 24.127.52.159 > ARP: MAC src != ARP src for host 24.127.52.160 > ARP: MAC src != ARP src for host 24.127.52.161 > ARP: MAC src != ARP src for host 24.127.52.163 > ARP: MAC src != ARP src for host 24.127.52.165 > ARP: MAC src != ARP src for host 24.127.52.166 > ARP: MAC src != ARP src for host 24.127.52.167 > ARP: MAC src != ARP src for host 24.127.52.168 > ARP: MAC src != ARP src for host 24.127.52.172 > ARP: MAC src != ARP src for host 24.127.52.173 > ARP: MAC src != ARP src for host 24.127.52.176 > ARP: MAC src != ARP src for host 24.127.52.177 > ARP: MAC src != ARP src for host 24.127.52.178 > ARP: MAC src != ARP src for host 24.127.52.179 > ARP: MAC src != ARP src for host 24.127.52.180 > ARP: MAC src != ARP src for host 24.127.52.181 > ARP: MAC src != ARP src for host 24.127.52.182 > ARP: MAC src != ARP src for host 24.127.52.183 > ARP: MAC src != ARP src for host 24.127.52.184 > ARP: MAC src != ARP src for host 24.127.52.185 > ARP: MAC src != ARP src for host 24.127.52.186 > ARP: MAC src != ARP src for host 24.127.52.187 > ARP: MAC src != ARP src for host 24.127.52.189 > ARP: MAC src != ARP src for host 24.127.52.190 > ARP: MAC src != ARP src for host 24.127.52.191 > ARP: MAC src != ARP src for host 24.127.52.192 > ARP: MAC src != ARP src for host 24.127.52.193 > ARP: MAC src != ARP src for host 24.127.52.196 > ARP: MAC src != ARP src for host 24.127.52.197 > ARP: MAC src != ARP src for host 24.127.52.199 > ARP: MAC src != ARP src for host 24.127.52.200 > ARP: MAC src != ARP src for host 24.127.52.203 > ARP: MAC src != ARP src for host 24.127.52.204 > ARP: MAC src != ARP src for host 24.127.52.205 > ARP: MAC src != ARP src for host 24.127.52.206 > ARP: MAC src != ARP src for host 24.127.52.208 > ARP: MAC src != ARP src for host 24.127.52.209 > ARP: MAC src != ARP src for host 24.127.52.211 > ARP: MAC src != ARP src for host 24.127.52.212 > ARP: MAC src != ARP src for host 24.127.52.215 > ARP: MAC src != ARP src for host 24.127.52.216 > ARP: MAC src != ARP src for host 24.127.52.217 > ARP: MAC src != ARP src for host 24.127.52.218 > ARP: MAC src != ARP src for host 24.127.52.219 > ARP: MAC src != ARP src for host 24.127.52.221 > ARP: MAC src != ARP src for host 24.127.52.224 > ARP: MAC src != ARP src for host 24.127.52.228 > ARP: MAC src != ARP src for host 24.127.52.232 > ARP: MAC src != ARP src for host 24.127.52.235 > ARP: MAC src != ARP src for host 24.127.52.236 > ARP: MAC src != ARP src for host 24.127.52.237 > ARP: MAC src != ARP src for host 24.127.52.239 > ARP: MAC src != ARP src for host 24.127.52.240 > ARP: MAC src != ARP src for host 24.127.52.241 > ARP: MAC src != ARP src for host 24.127.52.242 > ARP: MAC src != ARP src for host 24.127.52.249 > ARP: MAC src != ARP src for host 24.127.52.250 > ARP: MAC src != ARP src for host 24.127.52.252 > ARP: MAC src != ARP src for host 24.127.52.254 > ARP: MAC src != ARP src for host 24.127.52.255 > > I then tell hunt to report the collected MAC > addresses: > > --- mac table --- > 10.127.52.1 00:B0:8E:F7:3C:54 > 24.127.52.1 00:B0:8E:F7:3C:54 > 24.127.52.10 00:01:02:84:77:E2 > > If I then poke through ethereal, any responses > (mostly > http responses) give the "Ethernet II" source MAC of > the router (and it resolves to the router's IP on > the > same line), and gives the "Internet Protocol" > Source: > as the responding machine. > > Helpful hints: It was explained to me during the > installation that I was the only one on my segment, > which is believable, considering my location. My > network mask is: 255.255.254.0 > > The answer is sure to be staring me in the face, so > any slaps upside the head will be welcome. Can > anyone > tell me how to properly collect MAC addresses? > > Thanx, > > John > > > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users > > > > _______________________________________________ > Ethereal-users mailing list > Ethereal-users@xxxxxxxxxxxx > http://www.ethereal.com/mailman/listinfo/ethereal-users __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/
- References:
- Re: [Ethereal-users] (no subject)
- From: Rick Farina
- Re: [Ethereal-users] (no subject)
- Prev by Date: Re: [Ethereal-users] (no subject)
- Next by Date: Re: [Ethereal-users] (no subject)
- Previous by thread: Re: [Ethereal-users] (no subject)
- Next by thread: Re: [Ethereal-users] (no subject)
- Index(es):
