Re: [Ethereal-users] arp packet shows odd info

[Guy Harris <guy@xxxxxxxxxx>]

On Sun, Feb 09, 2003 at 01:52:43PM -0800, Guy Harris wrote:
> I.e., it says that 00:00:00:00:00:00 corresponds to
> "monitoring.centuryc.net"?
> 
> Is there an ARP packet in your capture that requests the MAC address of
> "monitoring.centuryc.net" (regardless of whether that's on the net on
> which you're capturing or not)?  If so, the ARP packet probably has its
> IP address as the target IP address, and 00:00:00:00:00:00 as the target
> MAC address, which can cause the ARP code to bogusly tell the Ethereal
> name resolution code that 00:00:00:00:00:00 is the MAC address for the
> host "monitoring.centuryc.net".

That's probably what happened.  I could reproduce that problem with a
capture here; I've just now checked in a change to:

	not tell the resolver code that a given MAC address corresponds
	to a given IP address if:

		the MAC address is non-unicast, not just if it's broadcast;

		the MAC address is all zeroes;

		the IP address is all zeroes.

as well as to tell the resolver code that the target MAC address corresponds to
the target IP address in ARP replies, as long as none of the above are
true (replies are the packets most likely to contain interesting target
address information).  That change should appear in the next release.