From owner-freebsd-net@FreeBSD.ORG Fri Jul 16 23:43:32 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BD6B16A4CE for ; Fri, 16 Jul 2004 23:43:32 +0000 (GMT) Received: from cow.home.mshindo.net (usen-221x245x168x210.ap-US01.usen.ad.jp [221.245.168.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01AB743D1F for ; Fri, 16 Jul 2004 23:43:26 +0000 (GMT) (envelope-from mshindo@mshindo.net) Received: from localhost (usen-221x245x168x211.ap-US01.usen.ad.jp [221.245.168.211]) by cow.home.mshindo.net (8.12.6/8.12.6) with ESMTP id i6GNlSw9066446; Sat, 17 Jul 2004 08:47:29 +0900 (JST) (envelope-from mshindo@mshindo.net) Date: Sat, 17 Jul 2004 08:43:23 +0900 (JST) Message-Id: <20040717.084323.35011909.mshindo@mshindo.net> To: blacksir@number.ru From: Motonori Shindo In-Reply-To: References: X-Mailer: Mew version 4.0.65 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: strange MACs in tcpdump output X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2004 23:43:32 -0000 Alexander, Most implementations fill target hardware address (which I will refer to as 'THA' hereafter) with zero in ARP Request, so tcpdump omits to print it out in that case. If THA is not filled with zero, tcpdump prints it out with braces as you just saw. I don't know what OS of what version you are seeing this with, but it may be FreeBSD 5.0. If my memory serves me right, FreeBSD 5.0 didn't explicitly fill the THA with zero, so what will be seen in THA field is dependent on memory at that time. In theory, THA doesn't matter in ARP Request, but there are some implementations that do care about it (i.e. it doesn't respond to ARP Request if THA is not all-zero). FreeBSD 5.1 fixed this problem and now fills THA with all-zero in ARP Request. Regards, From: "Alexander Vasenin aka BlackSir" Subject: strange MACs in tcpdump output Date: Fri, 16 Jul 2004 21:11:56 +0400 > What is the strange MACs in braces in the following output, and why on some lines it exist while on others - is not. I've checked tcpdump(8) and arp(4) and found nothing about this... > > [root@*] tcpdump -envvvi fxp2 arp and not ether host 0:60:b0:3c:92:86 > tcpdump: listening on fxp2 > 19:53:38.727058 0:5:5d:25:ce:3e ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (fe:1:0:0:cc:88) tell 192.168.254.253 > ^^^source ^^^target ^^^??? > Real MAC of 192.168.254.1 is 0:60:b0:3c:92:86 > > 19:54:01.544218 0:20:ed:85:6a:5c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.25 > > 19:54:02.181343 0:d0:b7:a9:a4:3a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.11 > > 19:54:18.503453 0:c0:49:cc:c1:2 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.208.65 (0:60:b0:3c:92:86) tell 192.168.208.75 > Real MAC of 192.168.208.65 is 0:60:b0:3c:92:86 > > 20:10:25.121986 0:5:5d:ed:6d:68 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (5d:ed:6d:68:c0:a8) tell 192.168.254.252 > ^^^??? > What is it? MAC in braces is like src MAC 'shifted' by 16bits??? > > Alexander Vasenin aka BlackSir