Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] NIC Manufacturer resolving

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Julian Fielding" <jfielding@xxxxxxxxxxxxxxx>
Date: Wed, 20 Oct 2004 12:16:44 +0100

This is what I requested in http://www.ethereal.com/lists/ethereal-dev/200310/msg00536.html

Many IP addresses are not resolvable in my environment, and I use Windows, so I turn off network name resolution. So if I expand Ethernet in the middle window I usually see, for example, Source : xx:yy:zz:12:34:56 (manufXYZ:12:34:56). But if Ethereal's seen a relevant ARP then I see Source : xx:yy:zz:12:34:56 (192.168.200.123) which is not useful since the IP addresses are already visible in the IP layer just below.

I guess this behaviour might be useful for hosts that use, say, IPX as well as IP. Or for routers, where the IP associated with the MAC address is different from that in the IP layer, but that's usually obvious when I see (well_known_router_manufacturer) instead of (my_expected_hardware_manufacturer). Question: Is this behaviour ever useful? Or is it just confusing to show apparently wrong or irrelevant IP addresses?

Arve, you can work around the problem by disabling ARP or by using a capture filter to prevent Ethereal seeing ARP packets.

Julian.

Ian Schorr <ethereal@xxxxxxxxxxxxx> on Tue, 19 Oct 2004 16:58:36 -0400 wrote:

>Does anyone see a reason why we can't either disable that behavior or
>at least make it optional?
>
>I have yet to run into a situation where I wanted the hostname, but
>plenty of situations where I wanted the OUI resolved and couldn't see
>it.
>
>IIRC it also does this if one has network name resolution disabled,
>which I actually *would* consider a bug (or at least a bad idea).
>
>Ian
>
>On Oct 17, 2004, at 6:00 PM, Guy Harris wrote:
>
>> arv@xxxxxxxxxx wrote:
>>> Sometimes instead manufacturer resolving I see IP address related to
>>> MAC address.
>>
>> What do you mean by "IP address related to MAC address"?
>>
>> If Ethereal displays an IP *address* - e.g., 192.168.0.1 - when it
>> should be displaying a MAC address, that's a bug.
>>
>> If, however, it displays a host name corresponding to an IP address,
>> that's *not* a bug - if Ethereal sees an ARP packet that indicates
>> that a particular IP address corresponds to a particular MAC address,
>> and it can resolve the IP address in question to a name, it arranges
>> to resolve that MAC address to the same name.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube