On Thu, Oct 19, 2006 at 07:53:29AM +0800, Lestat V wrote:
> I tried using "arp -an -i eth0" plus "arping [MAC]", and results:
> dance:/home/lestat# arp -an -i eth0
> ? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0
> ? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0
> ? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0
> ? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0
> ? (10.100.105.1) at 00:00:0C:07:AC:00 [ether] on eth0
> AND
> arping packets were "100% unanswered" from .1 and .14's real MAC's (
> I get them from their owners), the pecular "00:00:0C:07:AC:00", and
> .251(00:07:84:52:55:3C), while did get answered from
> .252(00:07:84:52:55:3D).
That's strange, maybe there *is* a bridge [1]
> I ping 10.100.105.1 and some other machines while "tcpdump -ni eth0
> arp", and got strange things:
(...)
> Look, my ARP request go to myself! While the other machine ask .251 or
> .252! Why?
No, you arp requests are the "arp who-has YYY tell XXX" where XXX is the one
who is asking and YYY the one he is looking for, the "arp reply" are
the answers (i.e. YYY answering back). If you see the etherlink level header
(-e switch to tcdpump) you will see it more clearyly (as you see the source
MAC address). You see the "arp who-has XXX tell 10.100.105.251" because those
are broadcast messages, you don't see the "arp reply" that answer those
queries because those are unicast (i.e. only sent to 10.100.105.251).
That trace demonstrates that .251 and .252 are probably gateways and they are
receiving traffic for the IP addresses they are querying for since they don't
have their MAC address (ARP entries probably expired).
> When I am not ping, no ARP traffic from my machine detected.
Yes, but do you *see* ARP replies incoming to your system when you *don't*
send arp queries? ('arp who-has')
Regards
Javier
[1] After thinking about this it turns you *could* have a bridge, in a weird
setup like this:
System A - Bridge
\ |
Switch -- You
System B -/
Let's say that A is connected to port 1 of the switch, B to port 2, bridge to
port 3 and you are connected to port 4. And the switch has two VLANs, one
including 1, 2 and 3 and the other one including 3 and 4. Obviously, port 3
needs to be defined as a trunk (with VLAN tagging). But since the ethernet
card is the same for the bridge A and B would see 'You' with MAC address X
and 'You' would see A and B with MAC address X also.
The only situation that might make some sense is when you have a bridge
firewall technology (there's some closed source solutions, won't name any)
and what to behave as a bridge for a *large* number of systems with
fine-grained segmentation through VLANs.
Attachment:
signature.asc
Description: Digital signature