Hi,
we are facing strange behaviour on our small network with a system
sending out ARP requests now and then asking to resolve the IP address
0.0.0.0.
According to the first three bytes of the MAC address (00-14-51) it is
an Apple machine.
Does anyone have an explanation for this behaviour?
Thanks a lot,
Chris
chrismc911@hotmail.com (07-01-19 12:27:39):
> we are facing strange behaviour on our small network with a system
> sending out ARP requests now and then asking to resolve the IP address
> 0.0.0.0.
>
> According to the first three bytes of the MAC address (00-14-51) it is
> an Apple machine.
> Does anyone have an explanation for this behaviour?
Yes. The address "0.0.0.0" is the "any" address. That means, "any"
host should answer that request. The MAC address you're seeing is some
random MAC address from your network (most likely).
Regards,
E.S.
Hi,
thanks a lot for your answer.
> Yes. The address "0.0.0.0" is the "any" address. That means, "any"
> host should answer that request. The MAC address you're seeing is some
> random MAC address from your network (most likely).
I am sorry but I got something wrong in my post. Had a look at the logs
again and the ARP requests comes from 0.0.0.0 and a valid destinatin IP
which I think is the IP of the host sending the request out.
I think this packet is sent when the host comes up. Something like
Windows sending out an unsolicited ARP reply to its own IP address to
check if another host has the IP address assigned.
Regards,
Chris
chrismc911@hotmail.com (07-01-20 07:55:51):
> > Yes. The address "0.0.0.0" is the "any" address. That means, "any"
> > host should answer that request. The MAC address you're seeing is
> > some random MAC address from your network (most likely).
>
> I am sorry but I got something wrong in my post. Had a look at the
> logs again and the ARP requests comes from 0.0.0.0 and a valid
> destinatin IP which I think is the IP of the host sending the request
> out.
>
> I think this packet is sent when the host comes up. Something like
> Windows sending out an unsolicited ARP reply to its own IP address to
> check if another host has the IP address assigned.
In that case, the packet is probably not a request, but rather a reply,
and the _destination_ IP address is 0.0.0.0. That would make sense, and
it would mean that the particular machine is just distributing its MAC
address into the network.
Regards,
E.S.
Hi,
> In that case, the packet is probably not a request, but rather a reply,
> and the _destination_ IP address is 0.0.0.0. That would make sense, and
> it would mean that the particular machine is just distributing its MAC
> address into the network.
the packet looks as follows:
Ethernet:
source mac 00-14-51-...
dest mac ff-ff-ff-ff-ff-ff
type 0x806
Arp:
type: request
source ip 0.0.0.0
dest ip 192.168.182.22
source mac 00-14-51-...
dest mac 00-00-00-00-00-00
So it is a valid arp request. The MAC address 00-14-51 fits on the ip
address 192.168.182.22 so it seemes to be an ip-mac-mapping
announcement from 192.168.182.22, but in an odd way.
Regards,
Chris
Can anyone confirm my thoughts that this is just a MAC announcement,
regardless of the strange source IP address?
Regards,
Chris
On Jan 21, 1:40 pm, chrismc...@hotmail.com wrote:
> Hi,
>
> > In that case, the packet is probably not a request, but rather a reply,
> > and the _destination_ IP address is 0.0.0.0. That would make sense, and
> > it would mean that the particular machine is just distributing its MAC
> > address into the network.the packet looks as follows:
>
> Ethernet:
> source mac 00-14-51-...
> dest mac ff-ff-ff-ff-ff-ff
> type 0x806
>
> Arp:
> type: request
> source ip 0.0.0.0
> dest ip 192.168.182.22
> source mac 00-14-51-...
> dest mac 00-00-00-00-00-00
>
> So it is a valid arp request. The MAC address 00-14-51 fits on the ip
> address 192.168.182.22 so it seemes to be an ip-mac-mapping
> announcement from 192.168.182.22, but in an odd way.
>
> Regards,
> Chris
chrismc911@hotmail.com wrote:
> Can anyone confirm my thoughts that this is just a MAC announcement,
> regardless of the strange source IP address?
>
> Regards,
> Chris
>
> On Jan 21, 1:40 pm, chrismc...@hotmail.com wrote:
>> Hi,
>>
>>> In that case, the packet is probably not a request, but rather a reply,
>>> and the _destination_ IP address is 0.0.0.0. That would make sense, and
>>> it would mean that the particular machine is just distributing its MAC
>>> address into the network.the packet looks as follows:
>> Ethernet:
>> source mac 00-14-51-...
>> dest mac ff-ff-ff-ff-ff-ff
>> type 0x806
>>
>> Arp:
>> type: request
>> source ip 0.0.0.0
>> dest ip 192.168.182.22
>> source mac 00-14-51-...
>> dest mac 00-00-00-00-00-00
>>
>> So it is a valid arp request. The MAC address 00-14-51 fits on the ip
>> address 192.168.182.22 so it seemes to be an ip-mac-mapping
>> announcement from 192.168.182.22, but in an odd way.
>>
>> Regards,
>> Chris
>
The traffic fits with the traffic profile of Address Conflict Detection
identified in:
http://tools.ietf.org/html/draft-cheshire-ipv4-acd-04
Interesting is that the author of the draft is from Apple and your
seeing an Apple host doing this, I guess they liked it enough to
implement it.
dMn
Hi dMn,
> The traffic fits with the traffic profile of Address Conflict Detection
> identified in:
> http://tools.ietf.org/html/draft-cheshire-ipv4-acd-04
thanks a lot for your answer! This is definetly it. The draft is quite
young (2005) and has actually expired in 2006. Apple really must have
liked it very much to implement it so quickly.
Regards,
Chris
chrismc911@hotmail.com wrote:
> Hi dMn,
>
>> The traffic fits with the traffic profile of Address Conflict Detection
>> identified in:
>> http://tools.ietf.org/html/draft-cheshire-ipv4-acd-04
>
> thanks a lot for your answer! This is definetly it. The draft is quite
> young (2005) and has actually expired in 2006. Apple really must have
> liked it very much to implement it so quickly.
>
> Regards,
> Chris
>
There are much older drafts than -04 that go back several years. And of
course Apple implemented it; they are the ones who wrote the draft.
Anyway, it was eventually released as an RFC called "Detecting Network
Attachment in IPv4 (DNAv4)".
http://www.ietf.org/rfc/rfc4436.txt
-- Lassi