Re: Stranges with ARP
From: Claudio Jeker (cjeker_at_diehard.n-r-g.com)
Date: 08/10/05
- Previous message: Christian Kratzer: "Re: Stack virtualization (was: running out of mbufs?)"
- In reply to: Steve Langdon: "Stranges with ARP"
- Next in thread: Jeremie Le Hen: "Re: Stranges with ARP"
- Reply: Jeremie Le Hen: "Re: Stranges with ARP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 10 Aug 2005 16:19:16 +0200 To: freebsd-net@freebsd.org
On Wed, Aug 10, 2005 at 05:07:27PM +0400, Steve Langdon wrote:
> Hello all.
>
> Help me to solve a strange conduct.
> I want to have permanent bundle with IP->MAC for users in our network to
> have some security. So, once my user's MAC doesn't appear in my ARP
> table, I have to block by ``arp -S ..' his IP with MAC generated by my
> script with prefix d1:fa:28.
>
> One day I have a phone talk with my user, he make complaints against slow speed in Internet. When I have checked his IP I feel a terrible :)
>
> tcpdump: listening on rl0
> 18:48:11.339543 213.238.62.65.80 > 192.168.57.90.1072: . 2091947455:2091948915(1460) ack 140637902 win 7441 (DF) [tos 0x60]
> ^C
> 561 packets received by filter
> 0 packets dropped by kernel
>
> Traffic comes to that user!
>
> root@router:~ % arp -a | grep -w 192.168.57.90
> ? (192.168.57.90) at d1:fa:28:ec:87:98 on rl0 permanent [ethernet]
> root@router:~ %
>
> While user is blocked by _our_ generated MAC! Btw, could anyone advice
> me how to block user IP block without touching ipfw (I think to use
> route + ``-blackhole' to that user that have no his MAC in my ARP
> table), any ideas?
>
>
> root@router:~ % arping 192.168.57.90
> ARPING 192.168.57.90
> 60 bytes from 00:00:f0:87:4b:ca (192.168.57.90): index=0 time=2.724 msec
> 60 bytes from 00:00:f0:87:4b:ca (192.168.57.90): index=1 time=9.966 msec
> ^C
> --- 192.168.57.90 statistics ---
> 2 packets transmitted, 2 packets received, 0% unanswered
> root@router:~ %
>
> His real MAC is 00:00:f0:87:4b:ca. I can't belave this could be. Whats
> wrong?
> As I think all traffic must transmit to d1:fa:28:ec:87:98, NOT to
> 00:00:f0:87:4b:ca and user's NIC must ignore that packet unless his
> interface in PROMISC mode. Or I'm wrong?
Come on have a look at the MAC address. d1:fa:28:ec:87:98. Ja ja ja d1.
Remember the multicast bit of 802.11? No, its the LSB of the first octet.
So your outgoing pings are actually multicasts.
-- :wq Claudio _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Christian Kratzer: "Re: Stack virtualization (was: running out of mbufs?)"
- In reply to: Steve Langdon: "Stranges with ARP"
- Next in thread: Jeremie Le Hen: "Re: Stranges with ARP"
- Reply: Jeremie Le Hen: "Re: Stranges with ARP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
