On Sun, Apr 21, 2002 at 10:12:07PM -0700, John E. Mayorga wrote:
> I used pretty much the same script for ARPing 1.04.
> Here is the output (which makes sense):
>
> ARPING 24.127.52.1 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.1 [00:B0:8E:F7:3C:54]
> 8.803ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
>
> ARPING 24.127.52.2 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.2 [00:D0:09:61:D7:2F]
> 9.601ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
So what does the traffic sent out by ARPing, and the replies it gets
back, look like?
For example, if it sends out a ARP request asking what the MAC address
is for 24.127.52.9, what's the MAC address of the machine that responds?
(I.e., is it that machine, which would indicate that packets get bridged
directly to that machine, or is the router just handing you the MAC
address information it has, which would indicate that they get routed to
that machine?)
> ARPING 24.127.52.10 from 24.127.52.10 eth0
> Sent 1 probes (1 broadcast(s))
> Received 0 response(s)
> ARPING 24.127.52.11 from 24.127.52.10 eth0
> Unicast reply from 24.127.52.11 [00:04:5A:2A:A1:5A]
> 57.094ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
I assume 00:04:5a:2a:a1:5a is the MAC address of your machine?
> ARPING 24.127.52.15 from 24.127.52.10 eth0
> Sent 1 probes (1 broadcast(s))
> Received 0 response(s)
That machine may be powered down, or nonexistent, so, if it's the router
that's sending out the ARP replies, you won't get a response.
> If I try to collect MAC addresses using Hunt 1.5 to
> collect MAC addresses, while sending out a "nmap -sP
> 24.127.52.*", the following is reported by Hunt, as if
> it was indicating an error:
>
> ARP: MAC src != ARP src for host 24.127.52.3
>
> ARP: MAC src != ARP src for host 24.127.52.4
> If I poke through the
> traffice that I had generated with the "nmap -sP
> 24.127.52.*" using Ethereal, any responses from the
> machines nmap was communicating with (mostly http
> responses) gives the following Layer 2 info:
>
> For "Ethernet II" it gives the MAC of the router (and
> it resolves to the router's IP on the same line)
...which suggests that traffic to those machines gets routed through the
router, rather than bridged to those machines.
I.e., the packet nmap sends to the machine goes out with the source MAC
address of your machine, and with the router's MAC address as the
destination MAC address. The packet is received by the router, and
forwarded to the other machine; it sends the reply to your IP address,
but sends the reply to the router, which receives it and forwards it to
your machine, so that the reply arrives at your machine with the
*router's* MAC address as the source MAC address.
Ethernet isn't a routed protocol, so Ethernet addresses are *not*
preserved when a packet is routed. (They're preserved if the packet is
bridged, but it appears that packets aren't being bridged.)
> For the IP layer on the "Internet Protocol" line it
> gives Source: as the machine nmap was communicating
> with at the time.
...which is exactly as it should be.
