Ethereal-users: RE: [Ethereal-users] Win2k Machine ARPs Twice
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Mark Holloway" <mholloway@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 8 Jul 2003 00:17:13 -0700
You are right..this is what the conversation looks like: 172.16.11.57 - SEND DATA TO 172.16.11.100 172.16.11.100 - BROADCASTS AN ARP - who is 172.16.11.57? 172.16.11.100 - BROADCASTS AN ARP (again) - who is 172.16.11.57? 172.16.11.57 - REPLIES TO ARP WITH APPROPRIATE MAC ADDRESS 172.16.11.11 - THIS IS THE PIX FIREWALL; REPLIES TO SAME ARP WITH ITS OWN MAC ADDRESS 172.16.11.100 - Enter PIX MAC address into its ARP cache but associates 172.16.11.57 as the IP. Since I am at home I do not have a capture with me. However, 172.16.11.100 is the only server in the DMZ which ARPs twice. There are several other Win2k machines and a couple Linux machines in the DMZ and none of them have the issue. I'm stumped. Thanks, Mark -----Original Message----- From: Visser, Martin (Sydney) [mailto:martin.visser@xxxxxx] Sent: Mon 7/7/2003 11:49 PM To: ethereal-users@xxxxxxxxxxxx Cc: Subject: RE: [Ethereal-users] Win2k Machine ARPs Twice Mark, >From your post you say the W2K machine 172.16.11.100 ARPs twice. However, from your time-line description you only mention one ARP request broadcast from 172.16.11.100. The latter is more likely. The fact that *both* the server and the PIX and the respond to the (same, I think?) ARP request is indicating that you have proxy ARP configured on the PIX. It also means that for some reason, due to the PIX configuration, the PIX thinks that your ARP broadcast comes from a subnet different to the one that 172.16.11.57 lives on. This is probably because you have a different subnet mask configured on the PIX from 172.16.11.100. That is, is it possible that the PIX has a say a /26 mask for the DMZ? The fact is that the PIX should only respond to an ARP request because it believes it has a more direct path to the destination host than the source. To clarify things a bit more you may need to post an Ethereal packet capture (or a "sanitized" PIX config (removing your passwords and public IP addresses) Martin Visser ,CISSP Network and Security Consultant Technology & Infrastructure - Consulting & Integration HP Services 3 Richardson Place North Ryde, Sydney NSW 2113, Australia Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513 Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com -----Original Message----- From: Mark Holloway [mailto:mholloway@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, 8 July 2003 4:11 PM To: ethereal-users@xxxxxxxxxxxx Subject: [Ethereal-users] Win2k Machine ARPs Twice Hi everyone. It's been a while since I've posted any type of strange and mysterious behavior, but here is one for all of you to help me figure out, if possible. I have a PIX firewall with LAN, DMZ, and INTERNET interfaces assigned. It's a very straight forward implimentation and in the DMZ, which is 172.16.11.0/24, there is a Windows 2000 machine that ARPs twice. The problem is the first ARP is heard by the server that's supposed to respond, and the second ARP which is milliseconds later, is picked up by the PIX firewall and it also responds back to the machine who sent the ARP request. The machine that initiated the ARP then enters the MAC address of the PIX FIREWALL into its ARP cahce ( c:\arp.exe -a ) and associates it with the server. It goes something like this: 172.16.11.57 - SEND DATA TO 172.16.11.100 172.16.11.100 - BROADCASTS AN ARP - who is 172.16.11.57? 172.16.11.57 - REPLIES TO ARP WITH APPROPRIATE MAC ADDRESS 172.16.11.11 - THIS IS THE PIX FIREWALL; REPLIES TO SAME ARP WITH ITS OWN MAC ADDRESS SERVER 172.16.11.100 enter the PIX's MAC into its ARP cache. I do an arp -a and it literally shows the PIX MAC for the 172.16.11.57 server and the same ARP entry for172.16.11.11, which the PIX is truly the default gateway for every machine on the 172.16.11.0/24 network. What's confusing is why the 172.16.11.100 machine is send two ARPs. Another thing is why the PIX is picking up the ARP request? Is it because the 172.16.11.100 server thinks no host is responding so it forwards to the PIX, then the PIX immediately responds back? But why would 172.16.11.100 enter the PIX's MAC into it's ARP cache and associate 172.16.11.57 with it unless the PIX is falsely telling him that? Or else the two ARP requests are being responded to so closely, the server 172.16.11.100 gets confused? I appreciate any responses. I am at a loss. Regards, Mark _______________________________________________ Ethereal-users mailing list Ethereal-users@xxxxxxxxxxxx http://www.ethereal.com/mailman/listinfo/ethereal-users
- Prev by Date: Re: Re: [Ethereal-users] Capture filter syntax question
- Next by Date: [Ethereal-users] Problem in Connect4 and LookUpSIDs2
- Previous by thread: RE: [Ethereal-users] Win2k Machine ARPs Twice
- Next by thread: [Ethereal-users] Problem in Connect4 and LookUpSIDs2
- Index(es):





