Date: Sat, 17 Jul 2004 08:43:23 +0900 (JST) From: Motonori Shindo <mshindo@mshindo.net> To: blacksir@number.ru Cc: freebsd-net@freebsd.org Subject: Re: strange MACs in tcpdump output Message-ID: <20040717.084323.35011909.mshindo@mshindo.net> In-Reply-To: <NKEJKOHEKMBIMCCEHEPKCEACDFAA.blacksir@number.ru> References: <NKEJKOHEKMBIMCCEHEPKCEACDFAA.blacksir@number.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander, Most implementations fill target hardware address (which I will refer to as 'THA' hereafter) with zero in ARP Request, so tcpdump omits to print it out in that case. If THA is not filled with zero, tcpdump prints it out with braces as you just saw. I don't know what OS of what version you are seeing this with, but it may be FreeBSD 5.0. If my memory serves me right, FreeBSD 5.0 didn't explicitly fill the THA with zero, so what will be seen in THA field is dependent on memory at that time. In theory, THA doesn't matter in ARP Request, but there are some implementations that do care about it (i.e. it doesn't respond to ARP Request if THA is not all-zero). FreeBSD 5.1 fixed this problem and now fills THA with all-zero in ARP Request. Regards, From: "Alexander Vasenin aka BlackSir" <blacksir@number.ru> Subject: strange MACs in tcpdump output Date: Fri, 16 Jul 2004 21:11:56 +0400 > What is the strange MACs in braces in the following output, and why on some lines it exist while on others - is not. I've checked tcpdump(8) and arp(4) and found nothing about this... > > [root@*] tcpdump -envvvi fxp2 arp and not ether host 0:60:b0:3c:92:86 > tcpdump: listening on fxp2 > 19:53:38.727058 0:5:5d:25:ce:3e ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (fe:1:0:0:cc:88) tell 192.168.254.253 > ^^^source ^^^target ^^^??? > Real MAC of 192.168.254.1 is 0:60:b0:3c:92:86 > > 19:54:01.544218 0:20:ed:85:6a:5c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.25 > > 19:54:02.181343 0:d0:b7:a9:a4:3a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.11 > > 19:54:18.503453 0:c0:49:cc:c1:2 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.208.65 (0:60:b0:3c:92:86) tell 192.168.208.75 > Real MAC of 192.168.208.65 is 0:60:b0:3c:92:86 > > 20:10:25.121986 0:5:5d:ed:6d:68 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (5d:ed:6d:68:c0:a8) tell 192.168.254.252 > ^^^??? > What is it? MAC in braces is like src MAC 'shifted' by 16bits??? > > Alexander Vasenin aka BlackSir
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040717.084323.35011909.mshindo>