|
Posted by dMn on February 8, 2007, 11:19 am
If you were Registered and logged in, you could reply and use other advanced thread options
chrismc911@hotmail.com wrote:
> Can anyone confirm my thoughts that this is just a MAC announcement,
> regardless of the strange source IP address?
>
> Regards,
> Chris
>
> On Jan 21, 1:40 pm, chrismc...@hotmail.com wrote:
>> Hi,
>>
>>> In that case, the packet is probably not a request, but rather a reply,
>>> and the _destination_ IP address is 0.0.0.0. That would make sense, and
>>> it would mean that the particular machine is just distributing its MAC
>>> address into the network.the packet looks as follows:
>> Ethernet:
>> source mac 00-14-51-...
>> dest mac ff-ff-ff-ff-ff-ff
>> type 0x806
>>
>> Arp:
>> type: request
>> source ip 0.0.0.0
>> dest ip 192.168.182.22
>> source mac 00-14-51-...
>> dest mac 00-00-00-00-00-00
>>
>> So it is a valid arp request. The MAC address 00-14-51 fits on the ip
>> address 192.168.182.22 so it seemes to be an ip-mac-mapping
>> announcement from 192.168.182.22, but in an odd way.
>>
>> Regards,
>> Chris
>
The traffic fits with the traffic profile of Address Conflict Detection
identified in:
http://tools.ietf.org/html/draft-cheshire-ipv4-acd-04
Interesting is that the author of the draft is from Apple and your
seeing an Apple host doing this, I guess they liked it enough to
implement it.
dMn
| 
XML site map