This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MAC address and IP on a LAN

0

I've made a capture of a FTP session between my computer and a server. The result of a single packet is as follow:

Ethernet II, Src: 00:80:5f:31:d9:7c, Dst: 00:01:f4:96:50:7f
Internet Protocol, Src Addr: 164.0.0.130 (164.0.0.130), Dst Addr: 10.0.0.20 (10.0.0.20)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 32769 (32769), Seq: 81, Ack: 35, Len: 19

My questions:

  • 1) Is There a router/switcher between these 2 hosts because they are on different networks?
  • 2) Are both MAC addresses real (the host MAC address)? Or one of them is from the router/switcher?
  • 3) The same as above for IP address. Are they real? Both?

P.S: I don't have information about the LAN, routers, switchers, etc. The capture file is all the information I have.

asked 08 May '12, 18:11

islon's gravatar image

islon
6113
accept rate: 0%

One Answer:

2

1.) Yes, there is a router between the machines. Signs: different subnet and the MAC address of an Enterasys Networks component (00:01:F4 - most certainly the router). Another option would be Proxy ARP (please google that), but even then, there is 'something' between src and dst.

2.) 00:80:5f is HP which is probably your Client PC: 10.0.0.20. 00:01:F4 is Enterasys Networks, which is the next hop router for 10.0.0.20 (see routing table on the client). You won't see the switch mac address, until you talk to one of it's ip addresses (e.g. mgmt interface).

3.) All IP addresses are just virtual data, made of bits and bytes, so both are "unreal" ;-) Honestly: what do you mean by "real" IP address? If you want to detect if there is IP spoofing in place, then that's hard to detect (often impossible) in a capture file and certainly impossible with just a few bytes one ip packet.

Regards
Kurt

answered 08 May '12, 21:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 May '12, 23:45

Thanks for the answer Kurt. About "real" IP addresses, what I was trying to say is: as there's a router between both computers one of the IP addresses is from the router, so maybe the 164... is the server's IP and 10... is my routers IP or the other way arround?

(09 May '12, 03:54) islon
1

you won't see the router ip address as routing is just layer-2 forwarding of the original ip packet to the mac of the next hop, hence the enterasys mac. 164.0.0.130 is your ftp server, whereas 10.0.0.20 is your client.

(09 May '12, 04:49) Kurt Knochner ♦

That's exactly what I wanted to know =)

(09 May '12, 05:57) islon

good :-) ...

(09 May '12, 06:52) Kurt Knochner ♦