Solved

XP Name Resolution and ARP

Posted on 2009-07-02
6
465 Views
Last Modified: 2013-11-25
I decided to capture some packets with Wireshark to observe an ARP broadcast and reply.
Prior to capturing the data, I went to command line and ran arp -d, nbtstat -R and an ipconfig /flushdns.
 Here is a portion of the ARP request:

Frame 18 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: Usi_88:ed:b3 (00:1e:37:88:ed:b3), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (0x0001)
    Sender MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
    Sender IP address: 172.16.3.141 (172.16.3.141)
    Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
    Target IP address: 172.16.3.140 (172.16.3.140)

No.     Time            Source                Destination           Protocol Info
     19 08:33:44.527556 Foxconn_db:1c:a3      Usi_88:ed:b3          ARP      172.16.3.140 is at 00:15:58:db:1c:a3

Frame 19 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Foxconn_db:1c:a3 (00:15:58:db:1c:a3), Dst: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (0x0001)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (0x0002)
    Sender MAC address: Foxconn_db:1c:a3 (00:15:58:db:1c:a3)
    Sender IP address: 172.16.3.140 (172.16.3.140)
    Target MAC address: Usi_88:ed:b3 (00:1e:37:88:ed:b3)
    Target IP address: 172.16.3.141 (172.16.3.141)

My question is this. How did my laptop (172.16.3.141) know the IP address for the server I was trying to connect to? (172.16.3.140) My capture does not show a WINS or DNS queries between frame 18 and frame 19.
I do not have any static host file entries either.

Thank you in advance

Don
0
Comment
Question by:dwesolowicz
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:DCMBS
ID: 24763485
It was probably in the ARP cache.
0
 

Author Comment

by:dwesolowicz
ID: 24763645
prior to the capture I went to cmd line and ran arp -d which should delete the cahce.
I confirmed this by running arp -a and the only entry was for my gateway.
So Im still unsure how this is happening
0
 
LVL 9

Accepted Solution

by:
DCMBS earned 500 total points
ID: 24763782
Frame 18 is an ARP request for the device with IP 172.16.3.140 to respond with it's MAc address.  so the IP was resolved prior to frame 18
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:dwesolowicz
ID: 24764007
This is what I am unable to see.
I have the capture in a text file if you would be willing to look at it.

Thanks again!


arp.txt
0
 
LVL 9

Assisted Solution

by:DCMBS
DCMBS earned 500 total points
ID: 24764247
Yes you are right. the trace does not show it being resolved so it mustr be cached somewhere.  If this is your Domain Controller then it will be hard to keep it's address out of the cahches as the domain contrioller is continuosly talking to all machines so it could well be that the IP was cahche inbetween ypou clearing all the caches and running the capture.  To see all the packets you should probably try doing this to a workstation you would not not normally connect to so the it is unlikely the IP or MAC is cached.
0
 

Author Comment

by:dwesolowicz
ID: 24764458
I just had a thought.
I was using some software called Dameware during the trace I sent you.
This software is used for remote administration.
During the trace, I was trying to connect to the machine by name.

For the heck of it it tried to connect to the machine in question using UNC, during a second trace.
The trace shows the name being resolved prior to the ARP request. So I guess the application must be resolving the name.

Thank you for working with me on this.

Don
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now