This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have two computers connected to a 5port switch in my room. Both computers have the same IP and MAC. Now I also connected the switch to the internet.

                               _____
                ________      |     | MAC: AA:CC
               |        |-----| PC1 | IP:  94.94.94.94
               |        |     |_____|
INTERNET ------| SWITCH |      
               |        |      _____
               |        |     |     | MAC: AA:CC
               |________|-----| PC2 | IP:  94.94.94.94
                              |_____|

Info:

  • MACs are cloned
  • Internet works on both computers

Question:

If PC1 and PC2 send simultaneously a request for www.google.com/index.html, how does the switch know to which port to forward the answer?

---------------------------------------------- Further information ----------------------------------------------

  • If I have Wireshark open on both computers, each instance of Wireshark will sniff totally different packets. Only the broadcast packets are perceived from both instances.

  • On the hub/switch(probably a switch), the blinking occurs only in pairs: PC1-Internet, PC2-Internet. So the switch somehow accurately forwardS the frames to the correct host although both hosts have the same MAC.

asked 03 Feb '14, 13:35

Pitihkos's gravatar image

Pitihkos
1112
accept rate: 0%

edited 04 Feb '14, 04:50


Not sure what the goal is in this configuration but I'll give it a try anyways:

I think you are missing a router in the picture here. The router keeps an ARP table and map IP addresses to MAC addresses. If the router needs to send a packet to an IP address that is in its own subnet it will consult the ARP cache and use the MAC address associated with the IP address and put the frame on the ethernet. The switch simply forwards the ethernet frames to all connected devices and its up to the device's NIC to identify and copy frames that match its own MAC address and pass the packet up to the IP layer. This would mean, that both PCs will receive those packets but only one will expect them. The other one will get confused and - if the transport is TCP - will send out RST packets because there is no local socket matching the IP/TCP quadruple. This will break the session at the remote side and no one will be able to communicateusing TCP.

permanent link

answered 03 Feb '14, 22:00

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Well my router died so I was trying to experiment with an old hub/switch I have. The router is on the side of the ISP so that's why it's not in the picture.

I added some further info in the question that shows that the packets are actually forwarded to one host at a time.

(04 Feb '14, 04:52) Pitihkos

how does the switch know to which port to forward the answer?

The switch learns the MAC addresses of the attached nodes, by looking at the source MAC address. In your case it will learn that the same MAC address is attached to port 1 (PC1) and port 2 (PC2). Usually the same MAC address can only be 'attached' to one switch port. Now, it depends on the switch firmware and the configuration what happens if it sees the same MAC address on two different ports at the 'same' time. Some switches will block one of the ports (due to Loop detection - not Spanning Tree), others will just forward the frames to all 'attached' ports and other switches might even flood those frames to all switch ports.

As you say, that you can access the internet through the switch at the same time, I guess that your switch accepts the situation and simply forwards the frames to both ports. Or your switch is actually a HUB, meaning it forwards the frames to all ports anyway.

Now, there is also IP and TCP. If you send a SYN frame from PC1 to the internet, the SYN-ACK will come back and the switch forwards that frame to both attached systems. That would (most certainly) result in a RESET from PC2, as it never sent the SYN. That RESET 'could' cause trouble and/or confusion on the system that sent the SYN-ACK. However, as you said, you can communicate from both systems (PC1 and PC2) at the same time, I guess that the firewall on the internal systems (in my example PC2) blocks the SYN-ACK (no information about the SYN in the state table of the firewall) and thus prevents the RESET. So, PC2 gets all answer packets for PC1, but the local firewall simply blocks them. The same applies vice versa.

That together (switch behavior and local firewall) probably makes your setup work (as far as I can say, based on your description), although you have the same MAC address and the same IP address.

Regards
Kurt

permanent link

answered 04 Feb '14, 02:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Feb '14, 02:48

There is a second problem though that I forgot to mention. Having Wireshark open on both computers doesn't sniff the same packets. Also on the hub/switch, the blinking occurs only in pairs: PC1-Internet, PC2-Internet. So the switch somehow accurately splits the links and actually forward the frames to the correct host although both hosts have the same MAC.

(04 Feb '14, 04:47) Pitihkos

Having Wireshark open on both computers doesn't sniff the same packets.

if the firewall drops the frames, you won't see them in Wireshark. Can you please do the following.

  • Take a capture file while you do the same on both systems (ping www.google.com and download some smaller files via HTTP).
  • Then disable the local firewall on both systems and repeat the test above, while you still capture on both systems.
  • Upload the capture files somewhere (google drive, dropbox, cloudshark.org) and post the link here.

I'm pretty sure, that something or all I mentioned in my answer actually happens on the net ;-)

Regards
Kurt

(04 Feb '14, 06:10) Kurt Knochner ♦

So the switch somehow accurately forwardS the frames to the correct host although both hosts have the same MAC.

Are you sure that's really the case?

(04 Feb '14, 06:47) Kurt Knochner ♦

Ok, I think I figured out what happens. When I make a GET request from PC1, then all incoming traffic(including response) will be directed to PC1. When I make a new GET request from PC2, then all traffic gets directed to PC2. That explains also how the internet works fine.

Unfortunately I can't do that as there is a lot of random traffic in the sniffs. Also, there are no firewalls that I am aware of. I run Ubuntu on both.

(04 Feb '14, 10:57) Pitihkos

Well, if you talk to the Internet first from PC1 and a few seconds later from PC2, the switch has obviously enough time to update its mac/port association, by learning from the source MAC address of the SYN frame.

(04 Feb '14, 11:28) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×40
×33
×32

question asked: 03 Feb '14, 13:35

question was seen: 2,256 times

last updated: 04 Feb '14, 13:22

p​o​w​e​r​e​d by O​S​Q​A