On Thu, Oct 19, 2006 at 07:53:29AM +0800, Lestat V wrote: > I tried using "arp -an -i eth0" plus "arping [MAC]", and results: > dance:/home/lestat# arp -an -i eth0 > ? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0 > ? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0 > ? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0 > ? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0 > ? (10.100.105.1) at 00:00:0C:07:AC:00 [ether] on eth0 > AND > arping packets were "100% unanswered" from .1 and .14's real MAC's ( > I get them from their owners), the pecular "00:00:0C:07:AC:00", and > .251(00:07:84:52:55:3C), while did get answered from > .252(00:07:84:52:55:3D). That's strange, maybe there *is* a bridge [1] > I ping 10.100.105.1 and some other machines while "tcpdump -ni eth0 > arp", and got strange things: (...) > Look, my ARP request go to myself! While the other machine ask .251 or > .252! Why? No, you arp requests are the "arp who-has YYY tell XXX" where XXX is the one who is asking and YYY the one he is looking for, the "arp reply" are the answers (i.e. YYY answering back). If you see the etherlink level header (-e switch to tcdpump) you will see it more clearyly (as you see the source MAC address). You see the "arp who-has XXX tell 10.100.105.251" because those are broadcast messages, you don't see the "arp reply" that answer those queries because those are unicast (i.e. only sent to 10.100.105.251). That trace demonstrates that .251 and .252 are probably gateways and they are receiving traffic for the IP addresses they are querying for since they don't have their MAC address (ARP entries probably expired). > When I am not ping, no ARP traffic from my machine detected. Yes, but do you *see* ARP replies incoming to your system when you *don't* send arp queries? ('arp who-has') Regards Javier [1] After thinking about this it turns you *could* have a bridge, in a weird setup like this: System A - Bridge \ | Switch -- You System B -/ Let's say that A is connected to port 1 of the switch, B to port 2, bridge to port 3 and you are connected to port 4. And the switch has two VLANs, one including 1, 2 and 3 and the other one including 3 and 4. Obviously, port 3 needs to be defined as a trunk (with VLAN tagging). But since the ethernet card is the same for the bridge A and B would see 'You' with MAC address X and 'You' would see A and B with MAC address X also. The only situation that might make some sense is when you have a bridge firewall technology (there's some closed source solutions, won't name any) and what to behave as a bridge for a *large* number of systems with fine-grained segmentation through VLANs.
Attachment:
signature.asc
Description: Digital signature