I used Wireshark to capture frames from ARP request and reply and I've noticed that the first frame shows my MAC address as "Src" and "Sender MAC address". Why is there a need to state my MAC adress twice?
As long as I understand, you see your MAC address twice, once in the Data-link layer (as a source MAC) and once in the actual ARP request (as a Sender MAC Address).
The first thing you need to understand is that these are two separate protocols, so it can be the case that the same data is transferred twice. This is because in some edge cases, the MAC address of the packet can change. In this case, if the ARP did not have a MAC address inside the request, the PC that responds will not know to whom it is responding.
So, in short, let the MAC layer take care of the "navigation" and the ARP to take care of the "diplomacy", even if this might result in some duplicate information.
Related
My requirement is create to Ethernet-IP-Payload with DPDK Mbuf. DPDK application is running on on virtual machine, the packet generation function invokes the API (attached in second image). I send the packet through DPDK interface and capture on my host system (W10).
Wireshark, can not understand the ethernet protocol as IP.Is there something wrong?
enter image description here
enter image description here
a couple of things you can correct in your DPDK code.
Network packets are big-endian, I assume you are running the Guest OS on x86. If this is true please make sure correct the endianness.
DPDK API rte_pktmbuf_mtod gets you the start of packet. Please fill the ethernet header first, then move 14 bytes ie struct rte_eth_hdr to typecast to IP and fill the data.
in IP field, the checksum filed is set as 0. Please cross-check if you are enabling IP-CHECKSUM offload in port_init.
All fields in IP has to follow BIG endian format too.
There is also a port filed in mbuf. With rte_mbuf_alloc it will be 0, but for sending to another port it should be the right value.
Wireshark observations
Byte 13 and 14 is 0xa50. This looks like your intended payload is overwritten
Byte 1 is 0x45 which clearly shows, you are writing IP header content first instead of ethernet. Please use step 2 from DPDK fixes.
On a local network I'm sending a WOL (Wake-On-LAN) packet using sendto to the target MAC address. The code for that works without any problems and the target machine is turned on correctly. The problem is, that I don't know if the target machine has a LAN cable attached or not. If it's not attached, then the whole process fails. Unfortunately, sendto is unidirectional, so I don't know if my magic packet arrived.
I'm wondering about the best and fastest way to find out if WOL succeeded or not. Waiting for the device to boot up completely so I find out get and ping its IP address takes way too long.
Is there a way to "ping" a MAC address, i.e. get some sort of Layer-2-reply?
I need this solution for a Delphi application, but if you have a solution for a different language at hand you're welcome to post that as well. Thank you!
Here is a wireshark capture of an ARP request PNG image, I contains the sender MAC inside the ARP packet. The receiving station can derive the MAC from the Ethernet frame. It seems to be redundant. Is there any particular use of separately including the sender MAC address in ARP Request too ?.
The "redundancy" was by design (RFC 826), and can be useful in targeting different layers. In RFC 3927 there's what is known as Gratuitous Address Resolution Protocol (GARP), and in certain circumstances the redundancy, or lack of, plays an important role, especially in troubleshooting and monitoring networking stacks.
Actually it's not rendunancy at all, the MAC (physical, layer 2) and IP (logical, layer 3) addresses are not the same thing. They serve different purposes on different network layers.
On large scale networks it's quite common to observe changes in the MAC/ARP/Source/Dest information, and at times can seem almost incorrect. For example, you might see a host send an ARP request with its own address as the target address. Depending on the exact situation, it might be telling us it's a link up/down event, maybe it's trying update other devices ARP tables, or possibly detecting an ip conflict and moving the ip to another NIC.
I could get into clustering, failovers — the list goes on, although I would end up writing a book trying to explain it all. Hopefully this gives you a bit of insight about the "redundancy" you were questioning. ;-)
More Info:
RFC 826 /
RFC 3927
/ Wireshark Gratuitous ARP
Although often used in conjunction with Ethernet, ARP by itself is an independent protocol. Imagine other link layer protocols that do not expose MAC addresses. ARP would not work in such circumstances if the sender field was not provided.
There is no rule that the ARP protocol field sender mac address to be same as ethernet source mac address. Eg: Its possible in few applications where multiple interfaces of same host are on network, but one only interface sends arp responses for all interfaces.
Looking at this related SO question, I can't help but wonder about the uniqueness of MAC addresses.
How unique are MAC addresses?
I'm using them to semi-uniquely identify users. I have a website that users of virtually any device (PC, Mac, iPhone, Android phone, etc.) and any OS can hit via an HTTP request. I use a combination of IP address and MAC address to identify unique users.
I assume the following cases can exist:
A device has no MAC address (unlikely, sure, but anyway)
A device has a unique MAC address
A device has multiple unique MAC addresses
Two or more devices have the same MAC address
The first three of these cases are unique (the third because I only need a single unique MAC address). For the fourth case, how likely is this?
That is: given 100 random users (perhaps Windows users for any Windows OS), how many of them can I expect to have the same MAC address? Is it just generally because of the limited length of MAC addresses? Or is it dependent on some sort of purposeful configuration change (MAC address spoofing)?
I'm okay with MAC addresses being semi-unique, I just want some clarity on how to interpret the data.
(I'm using the C# code against .NET 2.0 in the linked question against .NET 2.0.)
This is only true on the same network.
MAC addresses are resolved locally using ARP to route local packets at a hardware level. ARP is not a routable protocol and is not resolved across subnets.
If your webserver is behind a router with port mapping and all the incoming traffic to it is coming from that router, then every connection will appear to come from the MAC address of the router, you won't 'see' the MAC address of the original machine, not unless you can pick it up with a web page somehow (i'm not a web genius so don't ask me on that one, but Im guessing you'd need some heavy lifting at the client end with Java, or some other kind of active component to interrogate the local machine, easier to use a cookie)
You can find out the Public IP address of the remote machine where the outgoing NAT took place, but once again, there could be multiple device connecting from behind a router which would limit the usefulness of this method, and it means need to look into IP packets, which I have no idea how you can do that from a web server (probably can't?).
Anyway, this is what cookies are for, a way of leaving an identifier on a remote machine so you can see where traffic came from. If people don't accept cookies, unless you start getting very very creative you aren't going to be able to uniquely identify them.
(BTW Mac address are always unique (ok, you can occasionally find a reused MAC, but its extremely rare, or at least needs to be for networking to work!), thats the purpose of them, it's just not much help in this scenario if you are not on the same network)
100 random users (perhaps Windows users for any Windows OS), how many
of them can I expect to have the same MAC address?
Zero. And when they are in the same network, they could not communicate with the same MAC-Address, since Ethernet uses them to find the Computer. They are pretty unique. Producers of network cards get ranges of addresses they may assign to their products.
But: There are ways to manipulate your MAC Address, and there are scenarios where people do just that! For example when you want to enter a network, which is restricted to certain MAC-Addresses, you can manipulate your own to match one of those (if you find out, which ones are on the whitelist). Since I don't know, what your szenario is, (what you wnat to accomplish), I can not tell you if that is relevant for yout.
You just need to understand the difference between a MAC Address (that can be changed) and the identifier of your hardware [your Network Interface Controler to be precise] (that is forever assigned by its the manufacturer).
MAC address is the name of your device when it connects to the internet (through a rooter or a switch). You can change your MAC Address, but by default, this ID uses the identifier assigned by the manufacturer of the network interface controller (NIC) (e.g. your Wifi antena)
Exemple: I've changed my MAC address for my two computers using the same MAC Address: 00:01:02:03:04:06. My computers seems to be the same when connected to the same router but the identifier of their wifi antena remain unchanged and different.
While using the default (blocking) behavior on an UDP socket, in which case will a call to sendto() block? I'm interested essentially in the Linux behavior.
For TCP I understand that congestion control makes the send() call blocking if the sending window is full, but what about UDP? Does it even block sometimes or just let packets getting discarded at lower layers?
This can happen if you filled up your socket buffer, but it is highly operating system dependent. Since UDP does not provide any guarantee your operating system can decide to do whatever it wants when your socket buffer is full: block or drop. You can try to increase SO_SNDBUF for temporary relief.
This can even depend on the fine tuning of your system, for instance it can also depend on the size of the TX ring in the driver of your network interface. There are a few discussions about this in the iperf mailing list, but you really want to discuss this with the developers of your operating system. Pay special attention to O_NONBLOCK and EAGAIN / EWOULDBLOCK.
This may be because your operating system is attempting to perform an ARP request in order to get the hardware address of the remote host.
Basically whenever a packet goes out, the header requires the IP address of the remote host and the MAC address of the remote host (or the first gateway to reach it). 192.168.1.34 and AB:32:24:64:F3:21.
Your "block" behavior could be that ARP is working.
I've heard in older versions of Windows (2k I think), that the 1st packet would sometimes get discarded if the request is taking too long and you're sending out too much data. A service pack probably fixed that since then.