Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: RE: [Ethereal-users] Display - packet details question..

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Francisco Alcoba (TS/EEM)" <francisco.alcoba@xxxxxxxxxxxx>
Date: Tue, 29 Mar 2005 23:27:56 -0600
Title: RE: [Ethereal-users] Display - packet details question..

Hi,

>> 2.      A few "ARP request" in packet details, display an IP in  ()  after the source: Mac
>> address, "Example: Source: 00:0e:7f:xx:xx:xx ( #.#.#.# )".   Am I correct in assuming this was
>> MAC - IP translation was done by ethereal performing a sucessful  ARP?  and this data
>> is recorded in the capture file?  

> I don't know the answer for sure, but I'm guessing that Ethereal is either reading the
> ARP cache on the local machine or it is maintaing its own ARP table?

Ethereal maintains its own ARP table, but it does not send ARPs on its own. It only adds the
translations it sees in existing ARP packets. It remembers, however, the translations along
the process life, so it is possible that the ARP packet is not in the capture file where
the translation is shown, but in another file, or live capture, that was read since the
program started. If you start Ethereal, open the first capture file and see the translation
there, it should be because there is an ARP packet in the capture that shows it. It might
be the sender address translated in an ARP request, or both the sender or the receive
in a reply.

Regards,

  Francisco