Solved

XP Name Resolution and ARP

Posted on 2009-07-02
6
471 Views
Last Modified: 2013-11-25
I decided to capture some packets with Wireshark to observe an ARP broadcast and reply.
Prior to capturing the data, I went to command line and ran arp -d, nbtstat -R and an ipconfig /flushdns.
 Here is a portion of the ARP request:

Frame 18 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: Usi_88:ed:b3 (00:1e:37:88:ed:b3), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
    Sender IP address: 172.16.3.141 (172.16.3.141)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 172.16.3.140 (172.16.3.140)

No.     Time            Source                Destination           Protocol Info
     19 08:33:44.527556 Foxconn_db:1c:a3      Usi_88:ed:b3          ARP      172.16.3.140 is at 00:15:58:db:1c:a3

Frame 19 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Foxconn_db:1c:a3 (00:15:58:db:1c:a3), Dst: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (0x0002)
    Sender MAC address: Foxconn_db:1c:a3 (00:15:58:db:1c:a3)
    Sender IP address: 172.16.3.140 (172.16.3.140)
    Target MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
    Target IP address: 172.16.3.141 (172.16.3.141)

My question is this. How did my laptop (172.16.3.141) know the IP address for the server I was trying to connect to? (172.16.3.140) My capture does not show a WINS or DNS queries between frame 18 and frame 19.
I do not have any static host file entries either.

Thank you in advance

Don
0
Comment
Question by:dwesolowicz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:DCMBS
ID: 24763485
It was probably in the ARP cache.
0
 

Author Comment

by:dwesolowicz
ID: 24763645
prior to the capture I went to cmd line and ran arp -d which should delete the cahce.
I confirmed this by running arp -a and the only entry was for my gateway.
So Im still unsure how this is happening
0
 
LVL 9

Accepted Solution

by:
DCMBS earned 500 total points
ID: 24763782
Frame 18 is an ARP request for the device with IP 172.16.3.140 to respond with it's MAc address.  so the IP was resolved prior to frame 18
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:dwesolowicz
ID: 24764007
This is what I am unable to see.
I have the capture in a text file if you would be willing to look at it.

Thanks again!


arp.txt
0
 
LVL 9

Assisted Solution

by:DCMBS
DCMBS earned 500 total points
ID: 24764247
Yes you are right. the trace does not show it being resolved so it mustr be cached somewhere.  If this is your Domain Controller then it will be hard to keep it's address out of the cahches as the domain contrioller is continuosly talking to all machines so it could well be that the IP was cahche inbetween ypou clearing all the caches and running the capture.  To see all the packets you should probably try doing this to a workstation you would not not normally connect to so the it is unlikely the IP or MAC is cached.
0
 

Author Comment

by:dwesolowicz
ID: 24764458
I just had a thought.
I was using some software called Dameware during the trace I sent you.
This software is used for remote administration.
During the trace, I was trying to connect to the machine by name.

For the heck of it it tried to connect to the machine in question using UNC, during a second trace.
The trace shows the name being resolved prior to the ARP request. So I guess the application must be resolving the name.

Thank you for working with me on this.

Don
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question