Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: Re: [Ethereal-users] Display - packet details question..

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Scott Lowrey <slowrey@xxxxxxxxxxx>
Date: Tue, 29 Mar 2005 10:12:27 -0500
Jemiolo, John wrote:
Display - packet details question..

Two questions about looking at the packet details for an ARP request.

1.      In the packet details I can see the source: MAC translation to the abreviated MFG's name surrounded by ( ) "Example: Source: 00:0e:7f:xx:xx:xx  (HewlettP_xx:xx:xx)".  From the users manual I'm assuming that this is an internal ethereal conversion.  This translation is performed if the MAC address ARP fails for ethereal?


Ethereal is simply resolving the manufacturer name associated with the MAC address.  (MAC addresses are dished out in blocks to manufacturers.)  If you want to see the numeric MAC, disable the name resolution option.

2.      A few "ARP request" in packet details, display an IP in  ()  after the source: Mac address, "Example: Source: 00:0e:7f:xx:xx:xx ( #.#.#.# )".   Am I correct in assuming this was MAC - IP translation was done by ethereal performing a sucessful  ARP?  and this data is recorded in the capture file?  

I don't know the answer for sure, but I'm guessing that Ethereal is either reading the ARP cache on the local machine or it is maintaing its own ARP table?

--
Scott Lowrey
Test Engineering Manager
NexTone Communications
Gaithersburg, Maryland USA