Re: [opensuse] I need to find what is a certain IPv6 address in my LAN
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
On 03/19/2016 05:38 PM, Carlos E. R. wrote:
It might be my switch or my wifi router.
Switch mac "14:cc:20:ba:ba:bd". wifi mac "f8:1a:67:91:f4:22"
But the mac doesn't seem to match.
Can you find the MAC in your arp cache or DHCP server? Of course, you can always fire up Wireshark to see the actual MAC address and then filter on it to see what IPv4 address might show up. Also, you can look up the MAC address to see who the manufacturer is. http://www.macvendorlookup.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
On 03/19/2016 07:13 PM, James Knott wrote:
On 03/19/2016 05:38 PM, Carlos E. R. wrote:
It might be my switch or my wifi router.
Switch mac "14:cc:20:ba:ba:bd". wifi mac "f8:1a:67:91:f4:22"
But the mac doesn't seem to match. Can you find the MAC in your arp cache or DHCP server? Of course, you can always fire up Wireshark to see the actual MAC address and then filter on it to see what IPv4 address might show up. Also, you can look up the MAC address to see who the manufacturer is. http://www.macvendorlookup.com/
To make things easier for you, the link local address fe80::8cae:84ff:fe43:27d4 works out to a MAC address of 8eae:8443:27d4. But it appears to be a locally assigned MAC address, which won't show up in a search. I can tell it's locally assigned because it starts off with "8e", which would be "8c" otherwise. As 8e is an even number, the 8th bit is a 0. If it was a 1, then it would be a multicast MAC address. You can find info on MAC addresses here: https://en.wikipedia.org/wiki/MAC_address BTW, that 7th bit can make things confusing. In the MAC, it's used to indicate locally assigned MACs. Then in converting to IPv6 link local address, what ever it is gets inverted. The reason for this is so that a locally assigned address will start off with a string of zeros. Bottom line, something is generating a locally assigned address. You'll have to do some detective work to find out what. Since those packets are happening frequently, just set up Wireshark to display only them and then start disconnecting things until they stop. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 2016-03-20 00:53, James Knott wrote:
On 03/19/2016 07:13 PM, James Knott wrote:
On 03/19/2016 05:38 PM, Carlos E. R. wrote:
It might be my switch or my wifi router.
Switch mac "14:cc:20:ba:ba:bd". wifi mac "f8:1a:67:91:f4:22"
But the mac doesn't seem to match. Can you find the MAC in your arp cache or DHCP server? Of course, you can always fire up Wireshark to see the actual MAC address and then filter on it to see what IPv4 address might show up. Also, you can look up the MAC address to see who the manufacturer is. http://www.macvendorlookup.com/
Well, I posted already the output of "arp" and it is not there: Telcontar:~ # arp Address HWtype HWaddress Flags Mask Iface 192.168.74.119 ether 00:0c:29:5f:45:90 C vmnet8 router.valinor ether f8:8e:85:64:78:f2 C eth0 oldrouter.valinor ether f8:1a:67:91:f4:22 C eth0 AmonLanc.valinor ether 00:03:0d:05:17:fc C eth0 moria.valinor (incomplete) eth0 switchcreo ether 14:cc:20:ba:ba:bd C eth0 Telcontar:~ # The arp cache of the router is: IP address Flags HW Address Device 10.128.0.1 Complete e0:97:96:bc:89:ca eth0.3 192.168.1.15 Complete 00:03:0d:05:17:fc br0 192.168.1.52 Complete 80:96:ca:02:06:f9 br0 192.168.1.5 Complete f8:1a:67:91:f4:22 br0 192.168.1.132 Complete 5c:51:88:8f:3b:18 br0 192.168.1.201 Complete 90:ef:68:3a:0c:b8 br0 192.168.1.14 Complete 00:21:85:16:2d:0b br0 the switch is not even there. It should, I suppose.
To make things easier for you, the link local address fe80::8cae:84ff:fe43:27d4 works out to a MAC address of 8eae:8443:27d4. But it appears to be a locally assigned MAC address, which won't show up in a search. I can tell it's locally assigned because it starts off with "8e", which would be "8c" otherwise. As 8e is an even number, the 8th bit is a 0. If it was a 1, then it would be a multicast MAC address.
Well, I believe it is the "switchcreo" (switch, I believe) - see my response to Per. But its MAC is 14:cc:20:ba:ba:bd
You can find info on MAC addresses here: https://en.wikipedia.org/wiki/MAC_address
BTW, that 7th bit can make things confusing. In the MAC, it's used to indicate locally assigned MACs. Then in converting to IPv6 link local address, what ever it is gets inverted. The reason for this is so that a locally assigned address will start off with a string of zeros.
Ah.
Bottom line, something is generating a locally assigned address. You'll have to do some detective work to find out what. Since those packets are happening frequently, just set up Wireshark to display only them and then start disconnecting things until they stop.
I will not be able to see them, and also, I don't what packages to look for. ISP--fibre--[Main router]---[switch]---[R-W-A.P.]-- R-W-A.P. is Router used as "WiFi-Access Point" My computer is connected to the switch. If, as I believe, the traffic is between the router and the R-W-A.P. (see Florian post and my response), the switch may not send those packages to my computer. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
On 03/20/2016 08:29 AM, Carlos E. R. wrote:
IP address Flags HW Address Device 10.128.0.1 Complete e0:97:96:bc:89:ca eth0.3 192.168.1.15 Complete 00:03:0d:05:17:fc br0 192.168.1.52 Complete 80:96:ca:02:06:f9 br0 192.168.1.5 Complete f8:1a:67:91:f4:22 br0 192.168.1.132 Complete 5c:51:88:8f:3b:18 br0 192.168.1.201 Complete 90:ef:68:3a:0c:b8 br0 192.168.1.14 Complete 00:21:85:16:2d:0b br0
the switch is not even there. It should, I suppose.
The arp cache will only list IPv4 devices that have recently sent traffic to the computer where you're looking at the cache. If nothing happens for a period of time, everything in the cache will expire. The ip neighbor show command lists both IPv4 and IPv6 addresses, but again they will expire.
I will not be able to see them, and also, I don't what packages to look for.
???? Wireshark is included with openSUSE. Just install it. You can then use it to monitor network traffic. I suggested using it to display only those link local packets and then see what happens when you disconnect one device at a time from your switch.
ISP--fibre--[Main router]---[switch]---[R-W-A.P.]-- R-W-A.P. is Router used as "WiFi-Access Point" My computer is connected to the switch. If, as I believe, the traffic is between the router and the R-W-A.P. (see Florian post and my response), the switch may not send those packages to my computer.
You might not even see the switch. While they do have MAC addresses, unmanaged switches don't normally communicate with other devices. They just pass traffic, with the original MAC intact. However, you should be able to see spanning tree protocol frames, from most switches, with Wireshark. Spanning tree is a method that switches use to avoid loops. All but low end switches use it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2016-03-20 at 09:32 -0400, James Knott wrote:
To: opensuse@opensuse.org Subject: Re: [opensuse] I need to find what is a certain IPv6 address in my LAN
On 03/20/2016 08:29 AM, Carlos E. R. wrote:
IP address Flags HW Address Device 10.128.0.1 Complete e0:97:96:bc:89:ca eth0.3 192.168.1.15 Complete 00:03:0d:05:17:fc br0 192.168.1.52 Complete 80:96:ca:02:06:f9 br0 192.168.1.5 Complete f8:1a:67:91:f4:22 br0 192.168.1.132 Complete 5c:51:88:8f:3b:18 br0 192.168.1.201 Complete 90:ef:68:3a:0c:b8 br0 192.168.1.14 Complete 00:21:85:16:2d:0b br0
the switch is not even there. It should, I suppose.
The arp cache will only list IPv4 devices that have recently sent traffic to the computer where you're looking at the cache. If nothing happens for a period of time, everything in the cache will expire. The ip neighbor show command lists both IPv4 and IPv6 addresses, but again they will expire.
Yes, but I had pinged successfully the IP in question seconds before.
I will not be able to see them, and also, I don't what packages to look for.
????
Wireshark is included with openSUSE. Just install it.
Yes, I know the tool, I have used it often.
You can then use it to monitor network traffic. I suggested using it to display only those link local packets and then see what happens when you disconnect one device at a time from your switch.
Yes, but the problem is that the machine that is complaining is the ISP router. The computer is connected to the switch, but it will not see all the traffic unless I define that port to be a mirror port (I think that is the term). Ok, let's try something else. I have left only this computer connected to the switch. ping 192.168.1.6 succeeds. Ie, that is the switch. ping6 -I eth0 "fe80::8cae:84ff:fe43:27d4" fails. It is not the switch. Connect the cable going to the oldrouter aka wifi AP... success. So the "fe80::8cae:84ff:fe43:27d4" is the oldrouter, not the switch as I thought.
ISP--fibre--[Main router]---[switch]---[R-W-A.P.]-- R-W-A.P. is Router used as "WiFi-Access Point" My computer is connected to the switch. If, as I believe, the traffic is between the router and the R-W-A.P. (see Florian post and my response), the switch may not send those packages to my computer.
You might not even see the switch. While they do have MAC addresses, unmanaged switches don't normally communicate with other devices. They just pass traffic, with the original MAC intact. However, you should be able to see spanning tree protocol frames, from most switches, with Wireshark. Spanning tree is a method that switches use to avoid loops. All but low end switches use it.
It is a managed sw, but only via Windows, with its own application. A TP-Link in a small metal box and 8 ports. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbvGK8ACgkQtTMYHG2NR9X3NwCeMMrrTr72yCJngjzy2Io+lyA5 zbAAn01cozhsFmXUlWbxpfnIdTfrt3jC =jY4S -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
On 03/20/2016 05:39 PM, Carlos E. R. wrote:
It is a managed sw, but only via Windows, with its own application. A TP-Link in a small metal box and 8 ports.
You seem to come up with the weirdest situations. I guess it must be due to the water in Spain. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
On 2016-03-20 23:23, James Knott wrote:
On 03/20/2016 05:39 PM, Carlos E. R. wrote:
It is a managed sw, but only via Windows, with its own application. A TP-Link in a small metal box and 8 ports.
You seem to come up with the weirdest situations. I guess it must be due to the water in Spain. ;-)
ROTFL! :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
![](https://seccdn.libravatar.org/avatar/cabdbf4d350ab6a15265803acab1634d.jpg?s=120&d=mm&r=g)
On 03/20/2016 06:23 PM, James Knott wrote:
On 03/20/2016 05:39 PM, Carlos E. R. wrote:
It is a managed sw, but only via Windows, with its own application. A TP-Link in a small metal box and 8 ports.
You seem to come up with the weirdest situations. I guess it must be due to the water in Spain. ;-)
The rain in Spain .... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Anton Aylward
-
Carlos E. R.
-
James Knott