Solved

XP Name Resolution and ARP

Posted on 2009-07-02
6
466 Views
Last Modified: 2013-11-25
I decided to capture some packets with Wireshark to observe an ARP broadcast and reply.
Prior to capturing the data, I went to command line and ran arp -d, nbtstat -R and an ipconfig /flushdns.
 Here is a portion of the ARP request:

Frame 18 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: Usi_88:ed:b3 (00:1e:37:88:ed:b3), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
    Sender IP address: 172.16.3.141 (172.16.3.141)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 172.16.3.140 (172.16.3.140)

No.     Time            Source                Destination           Protocol Info
     19 08:33:44.527556 Foxconn_db:1c:a3      Usi_88:ed:b3          ARP      172.16.3.140 is at 00:15:58:db:1c:a3

Frame 19 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Foxconn_db:1c:a3 (00:15:58:db:1c:a3), Dst: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (0x0002)
    Sender MAC address: Foxconn_db:1c:a3 (00:15:58:db:1c:a3)
    Sender IP address: 172.16.3.140 (172.16.3.140)
    Target MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
    Target IP address: 172.16.3.141 (172.16.3.141)

My question is this. How did my laptop (172.16.3.141) know the IP address for the server I was trying to connect to? (172.16.3.140) My capture does not show a WINS or DNS queries between frame 18 and frame 19.
I do not have any static host file entries either.

Thank you in advance

Don
0
Comment
Question by:dwesolowicz
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:DCMBS
ID: 24763485
It was probably in the ARP cache.
0
 

Author Comment

by:dwesolowicz
ID: 24763645
prior to the capture I went to cmd line and ran arp -d which should delete the cahce.
I confirmed this by running arp -a and the only entry was for my gateway.
So Im still unsure how this is happening
0
 
LVL 9

Accepted Solution

by:
DCMBS earned 500 total points
ID: 24763782
Frame 18 is an ARP request for the device with IP 172.16.3.140 to respond with it's MAc address.  so the IP was resolved prior to frame 18
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 

Author Comment

by:dwesolowicz
ID: 24764007
This is what I am unable to see.
I have the capture in a text file if you would be willing to look at it.

Thanks again!


arp.txt
0
 
LVL 9

Assisted Solution

by:DCMBS
DCMBS earned 500 total points
ID: 24764247
Yes you are right. the trace does not show it being resolved so it mustr be cached somewhere.  If this is your Domain Controller then it will be hard to keep it's address out of the cahches as the domain contrioller is continuosly talking to all machines so it could well be that the IP was cahche inbetween ypou clearing all the caches and running the capture.  To see all the packets you should probably try doing this to a workstation you would not not normally connect to so the it is unlikely the IP or MAC is cached.
0
 

Author Comment

by:dwesolowicz
ID: 24764458
I just had a thought.
I was using some software called Dameware during the trace I sent you.
This software is used for remote administration.
During the trace, I was trying to connect to the machine by name.

For the heck of it it tried to connect to the machine in question using UNC, during a second trace.
The trace shows the name being resolved prior to the ARP request. So I guess the application must be resolving the name.

Thank you for working with me on this.

Don
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question