Re: [SLE] ethereal
From: Darryl Gregorash (raven_at_accesscomm.ca)
Date: 04/21/05
- Previous message: José M. Fandiño: "Re: [SLE] LDAP SuSe 9.1"
- In reply to: Chadley Wilson: "[SLE] ethereal"
- Next in thread: Chadley Wilson: "Re: [SLE] ethereal"
- Reply: Chadley Wilson: "Re: [SLE] ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 21 Apr 2005 04:37:07 -0600 To: suse-linux-e@suse.com
Chadley Wilson wrote:
>Greetings
>
>Guys what does it mean when ethereal gives this output?
>
>time source destination protocol info
>xxx 196.25.100.21 Broadcast arp who has 196.25.100.242? tell 196.25.100.21
>
>I just put xxx in for time its probably not important with regard to the
>question,
>
>Does this mean someone is ARPing my 21 box?
>
ARP is "address resolution protocol". You may or may not know that
ethernet connections are between hardware or MAC addresses, not IPs.
(Run 'ifconfig', the MAC address is the stuff after HWaddr on the first
line of the output.) From this view the IP may be thought of as sort of
a standardized bookkeeping method to group things with random names in
an orderly manner. This means that a router on the other side of the
planet only needs to know part of which group you belong to (ie. your
domain) in order to be able to route traffic to you. Otherwise, it would
need to know your MAC address -- and also the MAC addresses of all the
ethernet cards on the planet. Only your gateway plus any system you talk
to directly (called your local segment) actually need to know the MAC
address of your ethernet card -- and obviously (I hope it's obvious
anyway) it must also know the IP which matches that MAC address. This is
where ARP comes in.
What you posted above it an ARP Request -- a broadcast by 196.25.100.21
to the entire subnet, asking to be told which ethernet card (MAC
address) is using IP 196.25.100.242. If that is your IP, your system
will respond with an ARP Reply giving your MAC address. If not, the
request is just ignored. Your system also maintains similar information,
most often consisting only of your gateway. That is stored in
/proc/net/arp, and you can also print it out with 'arp -i <interface>
-a' . The arp command's output is maybe a bit more meaningful to humans
(it gives the fully qualified host as well as the IP and MAC addresses
of the ethernet cards in its neighbourhood)..
If you captured everything arriving on your ehternet card, you probably
noticed that a very large part of it is ARP stuff. There is only a
limited amount of space in the ARP cache, so old stale entries that
haven't been used for awhile have to be verified and updated -- and note
any TCP packet sent from your system will update the entry the gateway
has for your system. The default update interval is usually around 20
minutes. The reason so much of everything you see is ARP traffic is the
99.9 percent of all the users connected to your gateway who leave their
systems turned off 23 hours and 59minutes of every day, so for one
minute of the day the gateway knows what ethernet card is using those
IPs -- the rest of the time it's asking who has those IPs. Sometimes I
think this stuff is responsible for 99% of all the traffic there is, and
because of it these people eat up 99% of my bandwidth. They don't need
cable or DSL, but they have it. Another reason for ARP traffic is really
screwed up systems -- not always Windows -- that think they have to talk
directly to every IP they know about. Every time they find a system in
their local segment, whether it has ever talked directly to them or not,
they put it into their ARP cache, and leave it there -- and then try to
update the cache every 20 minutes or so.
ARP is an IPv4 thing only, because the MAC address of your ethernet card
will form part of any IPv6 address your system will have. IPv4 was
written back when most people figured 256 to the 4th power was a very
large number, and no one would ever need more IPs than that -- the guys
that asked "is this like no one will ever need more than 64KB of memory"
were laughed at or ignored. Now IPs are handed out like doctors hand out
tranquilizers, so of course there aren't enough -- hence IPv6, which in
principle will provide enough addresses for the next billion years or so
(or until they start having to duplicate MAC addresses in ethernet
cards, anyway).
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: José M. Fandiño: "Re: [SLE] LDAP SuSe 9.1"
- In reply to: Chadley Wilson: "[SLE] ethereal"
- Next in thread: Chadley Wilson: "Re: [SLE] ethereal"
- Reply: Chadley Wilson: "Re: [SLE] ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
