hi guys, I'm looking at a UDP conversation and i do not understand the following. The conversation is between IP 128.x.x.x and 166.x.x.x. In the first packet I see the src ip 128.x.x.x and the src mac (let's say Vmware_00-_00_00) dst ip = 166.x.x.x dst mac (IETF-VRRP-VRID_01). no when I look on the packet sent from 166.x.x.x to 128.x.x.x the source MAC is different than IETF-VRRP-VRID_01 but the destination MAC address is the same used as the source in the first packet. can someone please help me with this ? thank you and best regards Adam asked 25 Sep '15, 02:28  adasko edited 25 Sep '15, 14:40  Guy Harris ♦♦ |
2 Answers:
The unexpected mac could be the physical address of the router. answered 25 Sep '15, 04:37  Christian_R edited 25 Sep '15, 04:39 So when I start the conversation from A - B and I receive the response from B - A the MAC destination address in the packet from B - A is the MAC address of the source (A) device so this cannot be the physical address of the router. second packet you see now what i mean? So the src mac from first frame = dst mac in the second frame , but if there is a router in between, the dst mac in the 2nd packet should be set the routers interface (25 Sep '15, 04:54) adasko 1 So, from my point of view it looks like expected. So the question may be, where has been the capture Point. (25 Sep '15, 05:22) Christian_R But if there is a router between (both look to me, to be not on same sub network). So how can the second packet have the dst mac set to the mac of host A if it's not in hosts B network ? (25 Sep '15, 05:28) adasko 1 Because you are tracing in the subnet of the VMware host. (25 Sep '15, 06:42) Christian_R 1 It starts with a packet MAC(A) to MAC(V), where MAC(V) is actually a virtual router address. It does get forwarded to the server by one of the actual routers in your net. When the response packet comes back from the server this packet then gets forwarded via a router i your net and this router uses it's own MAC(R), not the virtual router MAC(V), as source MAC. (25 Sep '15, 07:01) Jaap ♦ Jaap, i think i know what i was doing wrong. I took the capture at Server A that is initiating the conversation. When looking at the second packet in the conversation I was (for any reasons) looking and the frames from perspective of the Server B, but as I'm capturing on device A I will see the frame addressing from router to Server A. Am I now correct ? (25 Sep '15, 07:28) adasko 1 Yes now you are correct. That is what I have meant with the point of capturing. (25 Sep '15, 07:31) Christian_R showing 5 of 7 show 2 more comments |
From the MAC address you listed it seems that you're talking to a server via a router using Virtual Router Redundancy Protocol. answered 25 Sep '15, 03:03  Jaap ♦ |
That was my assumption as well. BUT what I don't understand, is why in the packet sent back (2nd packet) the dst mac is set to the MAC address of the 128.x.x.x host. I mean if both are behind a router shouldn't the dst mac address in the second packet by the MAC of the router ?