Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: [Ethereal-dev] ARP Source IP address incorrect

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: James Busse <jimbusse2003@xxxxxxxxx>
Date: Thu, 25 Mar 2004 14:32:01 -0800 (PST)
The Ethereal software is excellent, and I very much appreciate
the efforts of all the developers.
 
I installed ethereal and began using it.  I found it intuitive,
easily used, and understandable.  There was one ARP source address
issue that confused me, and I searched the google groups looking for
anyone else that was confused.  I didn't discover anything
detailing this issue, but did find some confusion perhaps relating to
this ARP source address issue.
 
When an ARP request is issued by a client, the middle and top windows
can identify the source IP address incorrectly.  The lower
window shows the packet capture is correct with the IP address
correctly captured.  Here's the duplication procedure:
 
Network definition:  1 Win98SE Client computer, one Win2K packet capture
computer and one DHCP server.

1.  Set the client computer to fixed IP, and boot the client computer
    onto the network.  Check the IP address to be sure.
2.  Power-down the client.
3.  Start Ethereal capture on the packet capture computer
4.  Power-up the client  and boot onto the network
5.  Stop Ethereal capture.  Check the clients ARP source IP address is
    correctly captured as the fixed IP address.
6.  Set the client computer to DHCP, and power the client down.
7.  Start the Ethereal capture.
8.  Power up the client computer
9.  Validate the DHCP address for the client is different from the
    fixed IP address set in step 1.
10  Stop the packet capture and examine the ARP protocol report. 
    You will see in the center window the ARP source IP associated
    with the client's MAC is the client's old fixed IP, not
    the DHCP assigned IP address.
11.  Examine the source IP address for the ARP packet in the top
    window.  You'll see that it's the client's old fixed IP address.
12.  Examine the packet data in the lower window.  You will see
     the source IP address is the correct DHCP assigned address.
 
Based on this test, I think Ethereal assumes a MAC is associated with
the first ocurrence of the ARP source IP, and will incorrectly misreport
any reassignments or changes in that source IP address.
 
Best regards
 
Jim
 

Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube