Ethereal

Re: [Ethereal-users] Wierdness in CablemodemLand?
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: April 2002

 

On Mon, Apr 22, 2002 at 02:03:56AM -0700, Guy Harris wrote:
> so yes, indeed, 24.127.52.1 is 00:b0:8e:f7:3c:54.
> 
> So this is *very* odd - some piece of hardware on AT&T Broadband's
> network is acting as an odd sort of bridge.

Well, according to Ethereal's "manuf" file, 00:b0:8e belongs to Cisco,
so it's a piece of Cisco hardware - perhaps one of their "Universal
Broadband Router" boxes:

	http://www.cisco.com/warp/public/44/jump/cable.shtml

I suspect it's a machine that acts sort of like a router and sort of
like a switch, and that:

	all packets sent out by users attached to cable modems on your
	network segment get sent to that machine, regardless of the
	destination MAC address of the packet;

	if the packet is for another machine on your network segment,
	then:

		if the machine has the MAC address for that machine,
		it'll re-transmit the packet to that machine - but with
		the MAC address of the machine as the source MAC
		address;

		if the machine doesn't have the MAC address for that
		machine, it'll ARP for it and:

			if it gets the MAC address, it'll send it as
			described above;

			if it doesn't get the MAC address (times out),
			then, if the packet is an IP packet, it'll send
			a Host Unreachable ICMP packet to the sending
			host, with the *sender's* IP address as the
			source address (otherwise, it might just drop
			the packet on the floor);

	and that forwarding process is, at least for IP packets, treated
	as *routing*, not switching, so that it'll decrement the IP TTL
	of the packet and send out an ICMP message if the TTL drops to
	0, with the *router's* IP address as the source address;

If that's the behavior, this would mean that:

	if you ARP for another machine, the ARP reply will have the
	*router's* MAC address as the source MAC address in the Ethernet
	header;

	if you send a packet to a machine on your network segment and
	that machine isn't up, you'll get back an ICMP Host Unreachable
	message that looks as if it came from yourself (so "traceroute"
	will report *your* machine as the first and only network hop);

	if you send a packet to a machine on your network segment and
	the machine *is* up, *but* the TTL in the packet is 1, you'll
	get back an ICMP time-to-live exceeded message that looks as if
	it came from the *route* (so "traceroute" will report the
	*router* as the first network hop);

	if you send a packet to a machine on your network segment and
	the machine is up, and the TTL in the packet is > 1, the packet
	will be routed (so "traceroute" will report whatever machine
	next returns an ICMP message as the next network hop).

If that's the machine's behavior, I have no idea why that's the
behavior.

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.