Re: [SLE] ethereal

• Previous message: Chadley Wilson: "Re: [SLE] ethereal"
• In reply to: Darryl Gregorash: "Re: [SLE] ethereal"
• Next in thread: Susemail: "Re: [SLE] ethereal"
• Reply: Susemail: "Re: [SLE] ethereal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: suse-linux-e@suse.com
Date: Thu, 21 Apr 2005 22:55:01 +0200

On Thursday 21 April 2005 12:37, Darryl Gregorash wrote:
> Chadley Wilson wrote:
> >Greetings
> >
> >Guys what does it mean when ethereal gives this output?
> >
> >time source destination protocol info
> >xxx 196.25.100.21 Broadcast arp who has 196.25.100.242? tell
> > 196.25.100.21
> >
> >I just put xxx in for time its probably not important with regard to the
> >question,
> >
> >Does this mean someone is ARPing my 21 box?
>
> ARP is "address resolution protocol". You may or may not know that
> ethernet connections are between hardware or MAC addresses, not IPs.
> (Run 'ifconfig', the MAC address is the stuff after HWaddr on the first
> line of the output.) From this view the IP may be thought of as sort of
> a standardized bookkeeping method to group things with random names in
> an orderly manner. This means that a router on the other side of the
> planet only needs to know part of which group you belong to (ie. your
> domain) in order to be able to route traffic to you. Otherwise, it would
> need to know your MAC address -- and also the MAC addresses of all the
> ethernet cards on the planet. Only your gateway plus any system you talk
> to directly (called your local segment) actually need to know the MAC
> address of your ethernet card -- and obviously (I hope it's obvious
> anyway) it must also know the IP which matches that MAC address. This is
> where ARP comes in.
>
> What you posted above it an ARP Request -- a broadcast by 196.25.100.21
> to the entire subnet, asking to be told which ethernet card (MAC
> address) is using IP 196.25.100.242. If that is your IP, your system
> will respond with an ARP Reply giving your MAC address. If not, the
> request is just ignored. Your system also maintains similar information,
> most often consisting only of your gateway. That is stored in
> /proc/net/arp, and you can also print it out with 'arp -i <interface>
> -a' . The arp command's output is maybe a bit more meaningful to humans
> (it gives the fully qualified host as well as the IP and MAC addresses
> of the ethernet cards in its neighbourhood)..
>
> If you captured everything arriving on your ehternet card, you probably
> noticed that a very large part of it is ARP stuff. There is only a
> limited amount of space in the ARP cache, so old stale entries that
> haven't been used for awhile have to be verified and updated -- and note
> any TCP packet sent from your system will update the entry the gateway
> has for your system. The default update interval is usually around 20
> minutes. The reason so much of everything you see is ARP traffic is the
> 99.9 percent of all the users connected to your gateway who leave their
> systems turned off 23 hours and 59minutes of every day, so for one
> minute of the day the gateway knows what ethernet card is using those
> IPs -- the rest of the time it's asking who has those IPs. Sometimes I
> think this stuff is responsible for 99% of all the traffic there is, and
> because of it these people eat up 99% of my bandwidth. They don't need
> cable or DSL, but they have it. Another reason for ARP traffic is really
> screwed up systems -- not always Windows -- that think they have to talk
> directly to every IP they know about. Every time they find a system in
> their local segment, whether it has ever talked directly to them or not,
> they put it into their ARP cache, and leave it there -- and then try to
> update the cache every 20 minutes or so.
>
> ARP is an IPv4 thing only, because the MAC address of your ethernet card
> will form part of any IPv6 address your system will have. IPv4 was
> written back when most people figured 256 to the 4th power was a very
> large number, and no one would ever need more IPs than that -- the guys
> that asked "is this like no one will ever need more than 64KB of memory"
> were laughed at or ignored. Now IPs are handed out like doctors hand out
> tranquilizers, so of course there aren't enough -- hence IPv6, which in
> principle will provide enough addresses for the next billion years or so
> (or until they start having to duplicate MAC addresses in ethernet
> cards, anyway).

Thanks Darryl, thats a very good explanation, I will save it for future
reference, :)

-- 
Chadley Wilson
Redhat Certified Technician 
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================
-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com

• Previous message: Chadley Wilson: "Re: [SLE] ethereal"
• In reply to: Darryl Gregorash: "Re: [SLE] ethereal"
• Next in thread: Susemail: "Re: [SLE] ethereal"
• Reply: Susemail: "Re: [SLE] ethereal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]