This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to understand what a specific ARP request is for

0

Hi

sorry if this is the wrong place to ask this, but we just did a wireshark capture on my macbook (10.10.5) and seeing these ARP requests that I am trying to figure out where they are coming from.

Source: Congatec_19:aa:12 Destination: Broadcast the reply is: Source: Apple_d2:5b:b2 Destination: congatec_19:aa_12

how do I figure out what this is about? I did not find anything by googling that name

thanks

'mark

asked 17 Sep '15, 10:20

M_ahlenius's gravatar image

M_ahlenius
6112
accept rate: 0%

please upload a capture file somewhere and post the link here. It's impossible to do any analysis based on your description!

(17 Sep '15, 12:39) Kurt Knochner ♦

One Answer:

0

The ARP request is coming from the device whose Ethernet MAC address is 00:13:95:19:aa:12, and the ARP reply is coming from the device whose Ethernet MAC address is one of a number of OUI's that all map to Apple:d2:5b:b2. See IEEE's OUI lookup table for how Wireshark converts the OUI to a name, or use Wireshark's own OUI online lookup tool.

Anyway, the device with MAC address 00:13:95:19:aa:12 is trying to find out which device has a specific IP address so that it can send it some data, and the device with MAC address Apple:d2:5b:b2 has indicated that it is the device with the IP address that the first device was looking for. Now the first device is able to send its data to the second device.

For more information on ARP, refer to the ARP Wikipedia article or to RFC 826 directly. Refer also to my answer to this similar question.

answered 17 Sep '15, 12:50

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

could be IPv4 Address Conflict Detection instead of ARP request/reply, that's why I asked for the pcap file.

(17 Sep '15, 13:09) Kurt Knochner ♦

Yes, it could be. I went for the most likely scenario.

(17 Sep '15, 13:10) cmaynard ♦♦

At this Question some kind of ARP Types are discussed: https://ask.wireshark.org/questions/45400/ethernet-packet-arp

(17 Sep '15, 17:25) Christian_R