This is really a question concerning the behavior of ARP and not a wireshark
question. I apologize to everyone for the misuse of the list but figured
that the readers of this list would be my best bet for getting an answer.
I have a trace captured by tcpdump on a specific interface (but displayed
with wireshark) that shows two behaviors I do not understand.
First there are unicast ARPs to a specific IP address. The destination MAC
address of the ARP requests is that of the ARP's target host. These ARPs
appear to be sent at random times. Second, the system will sometimes switch
to using the source IP address of a different interface on the system, an
interface that is on a different subnet.
I have found some information indicating that unicast pings can be some form
of test packet. But the random times leads me to believe that that is not
the case here I I would think that a test packet would be very regular).
Also I am totally stumped as to why the source IP address would change. The
system is a Red Hat 2.6 Linux kernel
A complete display of the trace and my questions can be found here
http://members.cox.net/ndav1/traces/strange_arps.html but here a couple of
sample packets
142993 19:30:20.005254 Nec_ab:cd:ef NortelNe_01:02:03 ARP Who
has 10.20.1.1? Tell 10.20.1.39
144132 19:35:19.305579 Nec_ab:cd:ef NortelNe_01:02:03 ARP Who
has 10.20.1.1? Tell 10.20.1.39
145323 19:40:19.286200 Nec_ab:cd:ef NortelNe_01:02:03 ARP Who
has 10.20.1.1? Tell 10.20.1.39
145643 19:41:44.964578 Nec_ab:cd:ef Broadcast ARP
Who has 10.20.1.1? Tell 10.26.1.39
145654 19:41:45.996555 Nec_ab:cd:ef Broadcast ARP
Who has 10.20.1.1? Tell 10.26.1.39
Note that 10.20.1.1's MAC address is NortelNe_01:02:03 and it does respond
to the unicast ARPs but not to the broadcast ARPs coming from 10.26.1.39..
Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth
