I know that MAC address is used for local routing and error free data transfer, but is it used regardless the transmission medium infrastructure? I know it is used for Ethernet, but is it used for fiber, copper...etc?
Also, do we use MAC address when routing traffic between two adjacent routers? If we do, does that mean we have MAC address over serial connections?
Thanks
MAC addresses are used in most IEEE 802 network technologies, like Ethernet (802.3) and Wifi (802.11), but not all technologies use them. For instance, Fibre Channel use a different and more modern address type, called World Wide Name. It's longer and can be 64-bits or 128-bits.
So, to answer your questions, a router can use MAC addresses if it forwards packets over Ethernet interfaces, regardless of the physical medium. But it could also use other technologies or even label-switching protocols like MPLS. A serial link does not have medium access control and therefore has no MAC layer.
is it used regardless the transmission medium infrastructure? I know it is used for Ethernet, but is it used for fiber, copper...etc?
You mix OSI layer 1 (transmission medium) and layer 2 (Ethernet). If we use Ethernet as our data link layer, Ethernet MAC addresses will be there regardless of transmission medium. More on that on Wikipedia:
https://en.wikipedia.org/wiki/OSI_model
do we use MAC address when routing traffic between two adjacent routers?
Yes, if the router are connected using Ethernet. Even if we use a back-to-back cable to connect two routers.
does that mean we have MAC address over serial connections?
For the most of serial connections we do not use Ethernet, but use other layer 2 protocols, like ppp, Frame-Relay or HDLC. Note, that all of those protocols use their own addressing, but it is just one or two bytes, not 6 as in the Ethernet MACs. More on those protocols on Wikipedia:
https://en.wikipedia.org/wiki/Point-to-Point_Protocol
https://en.wikipedia.org/wiki/High-Level_Data_Link_Control
https://en.wikipedia.org/wiki/Frame_Relay
Related
I would like to do a scan in a LAN network to find devices linked.
I'm developping an app in IOS for IPAD
How do I do???
Because those are mobile devices I will assume you want to find devices on a wireless network. Theoretically, since wifi uses shared medium for communication, you can passively listen for traffic flowing through the network and collect data about client without sending any packets. This is something that is commonly referred to as a promiscuous mode. In practice there is 99% chance that the network adapter driver will allow you only to get traffic destined for your MAC address. In that case you will need to resort to actively scanning the network subnet which is not 100% accurate and depending on how the network is implemented can be considered as a possible attack.
The simple way of scanning is sending ICMP requests (ping) to every IP address in the subnet and collecting data from those who send back the echo reply. This is not reliable because some hosts won't respond to ICMP echo request even if they are active. First thing you need is to find out your own IP address and the subnet mask, and calculate the range of possible addresses in your subnet. The range is obtained by using logical AND operator where operands are binary values of your IP address and subnet mask. This is an example from the program that calculates this for typical 192.168.1.1 subnet with 255.255.255.0 subnet mask (192.168.1.1/24 in CIDR notation):
Address: 192.168.1.1 11000000.10101000.00000001 .00000001
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111 .00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111
Network: 192.168.1.0/24 11000000.10101000.00000001 .00000000
Broadcast: 192.168.1.255 11000000.10101000.00000001 .11111111
HostMin: 192.168.1.1 11000000.10101000.00000001 .00000001
HostMax: 192.168.1.254 11000000.10101000.00000001 .11111110
Then you would iterate through the range and ping every address. Another thing you can consider is listening for broadcast traffic such as ARP and collecting some of the information that way. I don't know what are you trying to make but you can't get many useful information this way, except for vendor of a host's network adapter.
Check my LAN Scan on Github. It does exactly what you want.
I recently used MMLANScan that was pretty good. It discovers IP, Hostname and MAC Address.
Bonjour have been around since 2002, have a look at it!
I mean, just look at their current tagline:
Bonjour, also known as zero-configuration networking, enables automatic discovery of devices and services on a local network using industry standard IP protocols. Bonjour makes it easy to discover, publish, and resolve network services with a sophisticated, yet easy-to-use, programming interface that is accessible from Cocoa, Ruby, Python, and other languages.
in my college lab all the PCs are connected via LAN by L2 switch. i want to capture the http data packets by wireshark but it is only showing the interface of my own PC. so how can i capture the packets of other PCs.
can somebody tell me working of wireshark?
It is in the nature of switches that you will only see either broadcast packets or traffic that has your MAC address as a destination, that is one of the crucial differences between a switch and a hub.
It is possible for most switches to be configured to copy traffic from one port to another, this is commonly done for monitoring purposes, but that has to be done via administrative access to the device.
You can manipulate the switch's behavior by means of ARP-Spoofing. But be cautious! Doing so might be seen as a criminal act.
So be sure that you're allowed to do so in the lab, sometimes that's OK if it serves the educational purpose. Ask your supervisor or the school's administrator.
My weapon of choice for such things is Ettercap.
A far less intrusive approach would be to use one of your own switches and configure it to forward all traffic. Then you can connect one port as an uplink to the lab's switch, one port to the device under test and one port to your machine running wireshark. (I would recommend using tcpdump for capturing, though.) If you don't have a manageable switch at hand, you can also use a router running OpenWRT.
Here is a wireshark capture of an ARP request PNG image, I contains the sender MAC inside the ARP packet. The receiving station can derive the MAC from the Ethernet frame. It seems to be redundant. Is there any particular use of separately including the sender MAC address in ARP Request too ?.
The "redundancy" was by design (RFC 826), and can be useful in targeting different layers. In RFC 3927 there's what is known as Gratuitous Address Resolution Protocol (GARP), and in certain circumstances the redundancy, or lack of, plays an important role, especially in troubleshooting and monitoring networking stacks.
Actually it's not rendunancy at all, the MAC (physical, layer 2) and IP (logical, layer 3) addresses are not the same thing. They serve different purposes on different network layers.
On large scale networks it's quite common to observe changes in the MAC/ARP/Source/Dest information, and at times can seem almost incorrect. For example, you might see a host send an ARP request with its own address as the target address. Depending on the exact situation, it might be telling us it's a link up/down event, maybe it's trying update other devices ARP tables, or possibly detecting an ip conflict and moving the ip to another NIC.
I could get into clustering, failovers — the list goes on, although I would end up writing a book trying to explain it all. Hopefully this gives you a bit of insight about the "redundancy" you were questioning. ;-)
More Info:
RFC 826 /
RFC 3927
/ Wireshark Gratuitous ARP
Although often used in conjunction with Ethernet, ARP by itself is an independent protocol. Imagine other link layer protocols that do not expose MAC addresses. ARP would not work in such circumstances if the sender field was not provided.
There is no rule that the ARP protocol field sender mac address to be same as ethernet source mac address. Eg: Its possible in few applications where multiple interfaces of same host are on network, but one only interface sends arp responses for all interfaces.
Looking at this related SO question, I can't help but wonder about the uniqueness of MAC addresses.
How unique are MAC addresses?
I'm using them to semi-uniquely identify users. I have a website that users of virtually any device (PC, Mac, iPhone, Android phone, etc.) and any OS can hit via an HTTP request. I use a combination of IP address and MAC address to identify unique users.
I assume the following cases can exist:
A device has no MAC address (unlikely, sure, but anyway)
A device has a unique MAC address
A device has multiple unique MAC addresses
Two or more devices have the same MAC address
The first three of these cases are unique (the third because I only need a single unique MAC address). For the fourth case, how likely is this?
That is: given 100 random users (perhaps Windows users for any Windows OS), how many of them can I expect to have the same MAC address? Is it just generally because of the limited length of MAC addresses? Or is it dependent on some sort of purposeful configuration change (MAC address spoofing)?
I'm okay with MAC addresses being semi-unique, I just want some clarity on how to interpret the data.
(I'm using the C# code against .NET 2.0 in the linked question against .NET 2.0.)
This is only true on the same network.
MAC addresses are resolved locally using ARP to route local packets at a hardware level. ARP is not a routable protocol and is not resolved across subnets.
If your webserver is behind a router with port mapping and all the incoming traffic to it is coming from that router, then every connection will appear to come from the MAC address of the router, you won't 'see' the MAC address of the original machine, not unless you can pick it up with a web page somehow (i'm not a web genius so don't ask me on that one, but Im guessing you'd need some heavy lifting at the client end with Java, or some other kind of active component to interrogate the local machine, easier to use a cookie)
You can find out the Public IP address of the remote machine where the outgoing NAT took place, but once again, there could be multiple device connecting from behind a router which would limit the usefulness of this method, and it means need to look into IP packets, which I have no idea how you can do that from a web server (probably can't?).
Anyway, this is what cookies are for, a way of leaving an identifier on a remote machine so you can see where traffic came from. If people don't accept cookies, unless you start getting very very creative you aren't going to be able to uniquely identify them.
(BTW Mac address are always unique (ok, you can occasionally find a reused MAC, but its extremely rare, or at least needs to be for networking to work!), thats the purpose of them, it's just not much help in this scenario if you are not on the same network)
100 random users (perhaps Windows users for any Windows OS), how many
of them can I expect to have the same MAC address?
Zero. And when they are in the same network, they could not communicate with the same MAC-Address, since Ethernet uses them to find the Computer. They are pretty unique. Producers of network cards get ranges of addresses they may assign to their products.
But: There are ways to manipulate your MAC Address, and there are scenarios where people do just that! For example when you want to enter a network, which is restricted to certain MAC-Addresses, you can manipulate your own to match one of those (if you find out, which ones are on the whitelist). Since I don't know, what your szenario is, (what you wnat to accomplish), I can not tell you if that is relevant for yout.
You just need to understand the difference between a MAC Address (that can be changed) and the identifier of your hardware [your Network Interface Controler to be precise] (that is forever assigned by its the manufacturer).
MAC address is the name of your device when it connects to the internet (through a rooter or a switch). You can change your MAC Address, but by default, this ID uses the identifier assigned by the manufacturer of the network interface controller (NIC) (e.g. your Wifi antena)
Exemple: I've changed my MAC address for my two computers using the same MAC Address: 00:01:02:03:04:06. My computers seems to be the same when connected to the same router but the identifier of their wifi antena remain unchanged and different.
I am willing to build a prototype of network appliance.
This appliance is suppose to transparently manipulate Ethernet packets. It suppose to have two network interface cards having one card connected to the outside leg (i.e. eth0) and the other to the inside leg (i.e. eth1).
In a typical network layout as in the attached image, it will be placed between the router and the LAN's switch.
My plans are to write a software that hooks at the kernel driver level and do whatever I need to do to incoming and outgoing packets.
For instance, an "outgoing" packet (at eth1) would be manipulated and passed over to the other NIC (eth0) which then should be transported over to the next hope
My questions are:
Is this doable?
Those NIC's will have no IP address, is that should be a problem?
Thanks in advance for your answers.
(And no, there is no such device yet in the market, so please, "why reinvent the wheel" style of answers are irrelevant)
typical network diagram http://img163.imageshack.us/img163/1249/stackpost.png
I'd suggest libipq, which seems to do just what you want:
Netfilter provides a mechanism for passing packets out of the stack for queueing to userspace, then receiving these packets back into the kernel with a verdict specifying what to do with the packets (such as ACCEPT or DROP). These packets may also be modified in userspace prior to reinjection back into the kernel.
Apparently, it can be done.
I am actually trying to build a prototype of it using scapy
as long as the NICs are set to promiscous mode, they catch packets on the network without the need of an IP address set on them. I know it can be done as there are a lot of companies that produce the same type of equipment (I.E: Juniper Networks, Cisco, F5, Fortinet ect.)