dwesolowicz
asked on
XP Name Resolution and ARP
I decided to capture some packets with Wireshark to observe an ARP broadcast and reply.
Prior to capturing the data, I went to command line and ran arp -d, nbtstat -R and an ipconfig /flushdns.
Here is a portion of the ARP request:
Frame 18 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: Usi_88:ed:b3 (00:1e:37:88:ed:b3), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Sender IP address: 172.16.3.141 (172.16.3.141)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 172.16.3.140 (172.16.3.140)
No. Time Source Destination Protocol Info
19 08:33:44.527556 Foxconn_db:1c:a3 Usi_88:ed:b3 ARP 172.16.3.140 is at 00:15:58:db:1c:a3
Frame 19 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Foxconn_db:1c:a3 (00:15:58:db:1c:a3), Dst: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Address Resolution Protocol (reply)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: Foxconn_db:1c:a3 (00:15:58:db:1c:a3)
Sender IP address: 172.16.3.140 (172.16.3.140)
Target MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Target IP address: 172.16.3.141 (172.16.3.141)
My question is this. How did my laptop (172.16.3.141) know the IP address for the server I was trying to connect to? (172.16.3.140) My capture does not show a WINS or DNS queries between frame 18 and frame 19.
I do not have any static host file entries either.
Thank you in advance
Don
Prior to capturing the data, I went to command line and ran arp -d, nbtstat -R and an ipconfig /flushdns.
Here is a portion of the ARP request:
Frame 18 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: Usi_88:ed:b3 (00:1e:37:88:ed:b3), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Sender IP address: 172.16.3.141 (172.16.3.141)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 172.16.3.140 (172.16.3.140)
No. Time Source Destination Protocol Info
19 08:33:44.527556 Foxconn_db:1c:a3 Usi_88:ed:b3 ARP 172.16.3.140 is at 00:15:58:db:1c:a3
Frame 19 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Foxconn_db:1c:a3 (00:15:58:db:1c:a3), Dst: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Address Resolution Protocol (reply)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: Foxconn_db:1c:a3 (00:15:58:db:1c:a3)
Sender IP address: 172.16.3.140 (172.16.3.140)
Target MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Target IP address: 172.16.3.141 (172.16.3.141)
My question is this. How did my laptop (172.16.3.141) know the IP address for the server I was trying to connect to? (172.16.3.140) My capture does not show a WINS or DNS queries between frame 18 and frame 19.
I do not have any static host file entries either.
Thank you in advance
Don
It was probably in the ARP cache.
ASKER
prior to the capture I went to cmd line and ran arp -d which should delete the cahce.
I confirmed this by running arp -a and the only entry was for my gateway.
So Im still unsure how this is happening
I confirmed this by running arp -a and the only entry was for my gateway.
So Im still unsure how this is happening
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is what I am unable to see.
I have the capture in a text file if you would be willing to look at it.
Thanks again!
arp.txt
I have the capture in a text file if you would be willing to look at it.
Thanks again!
arp.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just had a thought.
I was using some software called Dameware during the trace I sent you.
This software is used for remote administration.
During the trace, I was trying to connect to the machine by name.
For the heck of it it tried to connect to the machine in question using UNC, during a second trace.
The trace shows the name being resolved prior to the ARP request. So I guess the application must be resolving the name.
Thank you for working with me on this.
Don
I was using some software called Dameware during the trace I sent you.
This software is used for remote administration.
During the trace, I was trying to connect to the machine by name.
For the heck of it it tried to connect to the machine in question using UNC, during a second trace.
The trace shows the name being resolved prior to the ARP request. So I guess the application must be resolving the name.
Thank you for working with me on this.
Don