Chadley Wilson wrote:
Greetings
Guys what does it mean when ethereal gives this output?
time source destination protocol info xxx 196.25.100.21 Broadcast arp who has 196.25.100.242? tell 196.25.100.21
I just put xxx in for time its probably not important with regard to the question,
Does this mean someone is ARPing my 21 box?
ARP is "address resolution protocol". You may or may not know that ethernet connections are between hardware or MAC addresses, not IPs. (Run 'ifconfig', the MAC address is the stuff after HWaddr on the first line of the output.) From this view the IP may be thought of as sort of a standardized bookkeeping method to group things with random names in an orderly manner. This means that a router on the other side of the planet only needs to know part of which group you belong to (ie. your domain) in order to be able to route traffic to you. Otherwise, it would need to know your MAC address -- and also the MAC addresses of all the ethernet cards on the planet. Only your gateway plus any system you talk to directly (called your local segment) actually need to know the MAC address of your ethernet card -- and obviously (I hope it's obvious anyway) it must also know the IP which matches that MAC address. This is where ARP comes in. What you posted above it an ARP Request -- a broadcast by 196.25.100.21 to the entire subnet, asking to be told which ethernet card (MAC address) is using IP 196.25.100.242. If that is your IP, your system will respond with an ARP Reply giving your MAC address. If not, the request is just ignored. Your system also maintains similar information, most often consisting only of your gateway. That is stored in /proc/net/arp, and you can also print it out with 'arp -i <interface> -a' . The arp command's output is maybe a bit more meaningful to humans (it gives the fully qualified host as well as the IP and MAC addresses of the ethernet cards in its neighbourhood).. If you captured everything arriving on your ehternet card, you probably noticed that a very large part of it is ARP stuff. There is only a limited amount of space in the ARP cache, so old stale entries that haven't been used for awhile have to be verified and updated -- and note any TCP packet sent from your system will update the entry the gateway has for your system. The default update interval is usually around 20 minutes. The reason so much of everything you see is ARP traffic is the 99.9 percent of all the users connected to your gateway who leave their systems turned off 23 hours and 59minutes of every day, so for one minute of the day the gateway knows what ethernet card is using those IPs -- the rest of the time it's asking who has those IPs. Sometimes I think this stuff is responsible for 99% of all the traffic there is, and because of it these people eat up 99% of my bandwidth. They don't need cable or DSL, but they have it. Another reason for ARP traffic is really screwed up systems -- not always Windows -- that think they have to talk directly to every IP they know about. Every time they find a system in their local segment, whether it has ever talked directly to them or not, they put it into their ARP cache, and leave it there -- and then try to update the cache every 20 minutes or so. ARP is an IPv4 thing only, because the MAC address of your ethernet card will form part of any IPv6 address your system will have. IPv4 was written back when most people figured 256 to the 4th power was a very large number, and no one would ever need more IPs than that -- the guys that asked "is this like no one will ever need more than 64KB of memory" were laughed at or ignored. Now IPs are handed out like doctors hand out tranquilizers, so of course there aren't enough -- hence IPv6, which in principle will provide enough addresses for the next billion years or so (or until they start having to duplicate MAC addresses in ethernet cards, anyway).