Re: strange MACs in tcpdump output

From: Motonori Shindo (mshindo_at_mshindo.net)
Date: 07/17/04

  • Next message: Marian Durkovic: "Driver bge - broken jumbo frame support" 
    Date: Sat, 17 Jul 2004 08:43:23 +0900 (JST)
To: blacksir@number.ru

    Alexander,

    Most implementations fill target hardware address (which I will refer
    to as 'THA' hereafter) with zero in ARP Request, so tcpdump omits to
    print it out in that case. If THA is not filled with zero, tcpdump
    prints it out with braces as you just saw.

    I don't know what OS of what version you are seeing this with, but it
    may be FreeBSD 5.0. If my memory serves me right, FreeBSD 5.0 didn't
    explicitly fill the THA with zero, so what will be seen in THA field
    is dependent on memory at that time.

    In theory, THA doesn't matter in ARP Request, but there are some
    implementations that do care about it (i.e. it doesn't respond to ARP
    Request if THA is not all-zero). FreeBSD 5.1 fixed this problem and
    now fills THA with all-zero in ARP Request.

    Regards,

    From: "Alexander Vasenin aka BlackSir" <blacksir@number.ru>
    Subject: strange MACs in tcpdump output
    Date: Fri, 16 Jul 2004 21:11:56 +0400

    > What is the strange MACs in braces in the following output, and why on some lines it exist while on others - is not. I've checked tcpdump(8) and arp(4) and found nothing about this...
    >
    > [root@*] tcpdump -envvvi fxp2 arp and not ether host 0:60:b0:3c:92:86
    > tcpdump: listening on fxp2
    > 19:53:38.727058 0:5:5d:25:ce:3e ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (fe:1:0:0:cc:88) tell 192.168.254.253
    > ^^^source ^^^target ^^^???
    > Real MAC of 192.168.254.1 is 0:60:b0:3c:92:86
    >
    > 19:54:01.544218 0:20:ed:85:6a:5c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.25
    >
    > 19:54:02.181343 0:d0:b7:a9:a4:3a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.11
    >
    > 19:54:18.503453 0:c0:49:cc:c1:2 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.208.65 (0:60:b0:3c:92:86) tell 192.168.208.75
    > Real MAC of 192.168.208.65 is 0:60:b0:3c:92:86
    >
    > 20:10:25.121986 0:5:5d:ed:6d:68 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (5d:ed:6d:68:c0:a8) tell 192.168.254.252
    > ^^^???
    > What is it? MAC in braces is like src MAC 'shifted' by 16bits???
    >
    > Alexander Vasenin aka BlackSir
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Marian Durkovic: "Driver bge - broken jumbo frame support"