strange MACs in tcpdump output

Motonori Shindo mshindo at mshindo.net
Fri Jul 16 16:43:32 PDT 2004 

Alexander,

Most implementations fill target hardware address (which I will refer
to as 'THA' hereafter) with zero in ARP Request, so tcpdump omits to
print it out in that case. If THA is not filled with zero, tcpdump
prints it out with braces as you just saw.

I don't know what OS of what version you are seeing this with, but it
may be FreeBSD 5.0. If my memory serves me right, FreeBSD 5.0 didn't
explicitly fill the THA with zero, so what will be seen in THA field
is dependent on memory at that time.

In theory, THA doesn't matter in ARP Request, but there are some
implementations that do care about it (i.e. it doesn't respond to ARP
Request if THA is not all-zero). FreeBSD 5.1 fixed this problem and
now fills THA with all-zero in ARP Request.

Regards,

From: "Alexander Vasenin aka BlackSir" <blacksir at number.ru>
Subject: strange MACs in tcpdump output
Date: Fri, 16 Jul 2004 21:11:56 +0400

> What is the strange MACs in braces in the following output, and why on some lines it exist while on others - is not. I've checked tcpdump(8) and arp(4) and found nothing about this...
> 
> [root@*] tcpdump -envvvi fxp2 arp and not ether host 0:60:b0:3c:92:86
> tcpdump: listening on fxp2
> 19:53:38.727058 0:5:5d:25:ce:3e ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (fe:1:0:0:cc:88) tell 192.168.254.253
>                   ^^^source         ^^^target                                             ^^^???
> Real MAC of 192.168.254.1 is 0:60:b0:3c:92:86
> 
> 19:54:01.544218 0:20:ed:85:6a:5c ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.25
> 
> 19:54:02.181343 0:d0:b7:a9:a4:3a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.198.1 tell 192.168.198.11
> 
> 19:54:18.503453 0:c0:49:cc:c1:2 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.208.65 (0:60:b0:3c:92:86) tell 192.168.208.75
> Real MAC of 192.168.208.65 is 0:60:b0:3c:92:86
> 
> 20:10:25.121986 0:5:5d:ed:6d:68 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.254.1 (5d:ed:6d:68:c0:a8) tell 192.168.254.252
>                                                                                        ^^^???
> What is it? MAC in braces is like src MAC 'shifted' by 16bits???
> 
> Alexander Vasenin aka BlackSir

More information about the freebsd-net mailing list