Prev: Vista Smart Security virus (fake program)
Next: WTB: CISCO SWITCHES WS-C3750, WS-C3750G, WS-C3560, WS-C3560G & OTHERS
From: bod43 on 26 Apr 2010 04:44
On 26 Apr, 09:04, Rob <nom...(a)example.com> wrote:
> JF Mezei <jfmezei.spam...(a)vaxination.ca> wrote:
> > Note:
>
> > A host typically creates a temporarey entry in the ARP cache, sends the
> > ARP request (broadcast) and when/if a reply is received, it then updates
> > the record in the arp cache with the received ethernet address.
>
> That is what I said, but he does not believe it.

Here is an idea.

"I can ping the broadcast address, and only this IP
comes into the ARP table. "

ca-santa-barbara-router#sh arp | i 70.169.191
Internet 71.169.191.209 0 Incomplete ARPA
Internet 71.169.191.218 - 0018.731f.407d ARPA
Ethernet1

The broadcast ping from 218 just goes out with no ARPing.
In order to reply (with a unicast) the "target" host must
ARP for the ping sender 71.169.191.218.

The router receives the ARP request from 209:-
It replies to it and also does gratuitous ARP or ARP
snooping processing creating the Incomplete entry. For
some reason the entry cannot be completed. Perhaps
after the snooping or gratuiting:) the router does a real arp
to complete the process and the 209 host does not reply.

I am not sure of the details of gratuitous arp or snooping
so I am not sure as to the plausibility of this hypothesis.

Have you checked that you do not have a subnet mask
mismatch? Well, looking at the addresses I don't
suppose that is possible without a discontiguous mask
which is no longer permitted. Worth a check anyway.

Otherwise, maybe the ARP entry is nothing to do with
your ping and the 209 host is sending some other traffic.
Windows hosts for example are very chatty.

To investigate further you could try:-
- Packet capture with some external device
say with wireshark - hub or SPAN port needed.
- debug arp
- If you have very recent IOS, packet capture on router.
- Packet capture on target (209).
- Check you have no ACLs that could block the ARP.

You might post the router config.

By the way, most people mangle IP addresses
in usenet messages so as to preclude identification.
e.g change the first octet. Maybe you did that already:?)
From: crzzy1 on 26 Apr 2010 08:26
On Apr 26, 4:04 am, Rob <nom...(a)example.com> wrote:
> JF Mezei <jfmezei.spam...(a)vaxination.ca> wrote:
> > Note:
>
> > A host typically creates a temporarey entry in the ARP cache, sends the
> > ARP request (broadcast) and when/if a reply is received, it then updates
> > the record in the arp cache with the received ethernet address.
>
> That is what I said, but he does not believe it.

Thanks for the reply.
So are you saying that I am getting an arp reply that doesn't have a
MAC address in it?
I ask this because I am only getting an IP and not an "ethernet
address" that you assert that I am getting in your answer.
My question is how does it get a reply with only an IP and no MAC?
Or if there is no reply, then how does it know that only that single
host out of 254 possibility's is out there?

Thanks,
CJ
From: crzzy1 on 26 Apr 2010 08:32
On Apr 26, 4:44 am, bod43 <Bo...(a)hotmail.co.uk> wrote:
> On 26 Apr, 09:04, Rob <nom...(a)example.com> wrote:
>
> > JF Mezei <jfmezei.spam...(a)vaxination.ca> wrote:
> > > Note:
>
> > > A host typically creates a temporarey entry in the ARP cache, sends the
> > > ARP request (broadcast) and when/if a reply is received, it then updates
> > > the record in the arp cache with the received ethernet address.
>
> > That is what I said, but he does not believe it.
>
> Here is an idea.
>
> "I can ping the broadcast address, and only this IP
> comes into the ARP table. "
>
> ca-santa-barbara-router#sh arp | i 70.169.191
> Internet  71.169.191.209          0   Incomplete      ARPA
> Internet  71.169.191.218          -   0018.731f.407d  ARPA
> Ethernet1
>
> The broadcast ping from 218 just goes out with no ARPing.
> In order to reply (with a unicast) the "target" host must
> ARP for the ping sender 71.169.191.218.
>
> The router receives the ARP request from 209:-
> It replies to it and also does gratuitous ARP or ARP
> snooping processing creating the Incomplete entry. For
> some reason the entry cannot be completed. Perhaps
> after the snooping or gratuiting:) the router does a real arp
> to complete the process and the 209 host does not reply.
>
> I am not sure of the details of gratuitous arp or snooping
> so I am not sure as to the plausibility of this hypothesis.
>
> Have you checked that you do not have a subnet mask
> mismatch? Well, looking at the addresses I don't
> suppose that is possible without a discontiguous mask
> which is no longer permitted. Worth a check anyway.
>
> Otherwise, maybe the ARP entry is nothing to do with
> your ping and the 209 host is sending some other traffic.
> Windows hosts for example are very chatty.
>
> To investigate further you could try:-
>  - Packet capture with some external device
> say with wireshark - hub or SPAN port needed.
>  - debug arp
>  - If you have very recent IOS, packet capture on router.
>  - Packet capture on target (209).
>  - Check you have no ACLs that could block the ARP.
>
> You might post the router config.
>
> By the way, most people mangle IP addresses
> in usenet messages so as to preclude identification.
> e.g change the first octet. Maybe you did that already:?)

Thank you for your well worded response.
I did mangle my IP like you mentioned,, yes it would be a breach of
protocol not to.
I think you are correct in your assertion of the gratuitous arp.
This issue was fixed by having the customer concentrate on his routing
on his host side. (I have no visibility into his side, so I couldn't
use wireshark. but I would like to try the packet capture on the
router side next time one of these crop up.
Again though, a really excellent answer.

Thanks,
Crzzy1
From: Rob on 26 Apr 2010 09:02
crzzy1 <cozzmo1(a)hotmail.com> wrote:
> On Apr 26, 4:04 am, Rob <nom...(a)example.com> wrote:
>> JF Mezei <jfmezei.spam...(a)vaxination.ca> wrote:
>> > Note:
>>
>> > A host typically creates a temporarey entry in the ARP cache, sends the
>> > ARP request (broadcast) and when/if a reply is received, it then updates
>> > the record in the arp cache with the received ethernet address.
>>
>> That is what I said, but he does not believe it.
>
> Thanks for the reply.
> So are you saying that I am getting an arp reply that doesn't have a
> MAC address in it?

No, I think you are getting no ARP reply at all.

> I ask this because I am only getting an IP and not an "ethernet
> address" that you assert that I am getting in your answer.

The "incomplete" entry with only IP in it is created when the router
wants to send something to that IP. The system does not need to exist
for that.

> My question is how does it get a reply with only an IP and no MAC?

I think it doesn't.

> Or if there is no reply, then how does it know that only that single
> host out of 254 possibility's is out there?

Maybe it has heard traffic from that address.
From: JF Mezei on 26 Apr 2010 09:07
crzzy1 wrote:

> So are you saying that I am getting an arp reply that doesn't have a
> MAC address in it?

Typically the reverse. It means you have sent an Arp request, but not
gotten any response.

"will IP address X please stand up and reply to me with their ethernet
address ?

BUT, nobody responded.

If this is aon a cisco box, you can:

clear arp <ip address>

This will remove the incomplete arp entry.

you can show arp to confirm.

You can then try to ping that host and you will ether get an incomplete
arp entry or a completed one.

(instead of "ping" you can telnet or any other IP level command that
would try to send an IP packet to that host.


If 10.0.0.2 sends an ARP to ask about 10.0.0.13, then 10.0.0.13 will
implicetely know 10.0.0.2's ethernet address and add that record to its
arp table (allowing it to reply to 10.0.0.2's requests from now on).

10.0.0.13 will then send a response to 10.0.0.2, and 10.0.0.2 will then
get the ethernet address corresponding to 10.0.0.13 and complete the
incomplete arp entry.

Note that you could theoretically have a misbehaving machine on your LAN
which uses a blank or otherwise invalid ethernet address so that when it
responds to arp requests, the responses are considered illegal and not
added to the arp tables (leaving those incomplete entries).

First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Vista Smart Security virus (fake program)
Next: WTB: CISCO SWITCHES WS-C3750, WS-C3750G, WS-C3560, WS-C3560G & OTHERS