I have a wireshark PCAP file, I want to find the MAC addresses and the private IP (local network IP address) of each of the devices in the network. When I see the ethernet tab under conversations, I can see the corresponding MAC addresses. I also see multiple IP addresses (multiple v4 and multiple v6) in the IP tabs corresponding to the MAC. Is it possible to have more than 1 local IP address per MAC? I understand there can be multiple IP addresses associated with a MAC but I was wondering on how to find those only in the local network.
Is it possible to have more than 1 local IP address per MAC?
Yes and it is more common than you think; however, I think the PCAP may be misleading you a bit.
For unicast IP addresses, multicast has different rules, there are two main reasons you would see two different IP addresses go to/from a certain MAC:
The associated interface has multiple IP addresses. Below is an example of a interface in linux having multiple addresses:
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:43:c6:d5 brd ff:ff:ff:ff:ff:ff
inet 192.168.110.106/24 brd 192.168.110.255 scope global ens160
valid_lft forever preferred_lft forever
inet 192.168.110.102/24 brd 192.168.110.255 scope global secondary ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe43:c6d5/64 scope link
valid_lft forever preferred_lft forever
So both 192.168.110.106 adn 192.168.110.102 map to the MAC address 00:0c:29:43:c6:d5
The associated MAC Address is a router/gateway. In the above example lets assume 192.168.110.1 is the gateway and has a MAC address of 00:0c:29:43:c6:d6. If 192.168.1.10 want to send a packet to 8.8.8.8 (or any IP not in 192.168.110.1) then it will send the packets to MAC address 00:0c:29:43:c6:d6 but have the destination IP address still be 8.8.8.8. So in your PCAP you will see 00:0c:29:43:c6:d6 associated with 8.8.8.8 even though the MAc address technically belongs to 192.168.110.1.
Related
I am using OpenStack Packstack Train. I installed it on my server but I have external servers in my lab that I want to reach from the VMs that are on OpenStack. These VM have already a floating IPs.
I want to know if there is like a virtual switch to link them to the external servers or something like that.
When I run brctl show, I get
bridge name bridge id STP enabled interfaces
When I do an ip a, I see
br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 32:6c:e3:45:a2:41 brd ff:ff:ff:ff:ff:ff
inet 172.24.4.1/24 scope global br-ex valid_lft forever preferred_lft forever
inet6 fe80::306c:e3ff:fe45:a241/64 scope link valid_lft forever preferred_lft forever
but when I do cat /etc/sysconfig/network-scropts/ifcfg-br-ex, I'm getting this message:
cat: ifcfg-br-ex: No such file or directory.
By default, Packstack creates an "external" network that is not external at all. It is isolated on the Packstack server. You can see that from br-ex's IP address 172.24.4.1, and from the floating IPs of your VMs.
Luckily, the RDO project has instructions for connecting your cloud to your network.
It might also be possible to add a provider network to the current cloud, but you would have to reconfigure your bridging and Neutron manually, and judging from the question, this is probably beyond your skills (personally, I would have to experiment even after working with OpenStack for seven years). I suggest you just reinstall.
If your VMs contain important data, you could create snapshots, copy them to a safe place, and use them to launch the VMs on the newly deployed cloud.
By the way, brctl reports nothing because it only works with Linuxbridges, not Openvswitch bridges (and br-ex is the latter). There is no ifcfg file because Packstack doesn't bother persisting br-ex's configuration, which will cause you grief when you reboot the Packstack server.
I tried to install Google Anthos in my bare metal server. But I stuck in finding the ip adress needed to set the yaml configuration. I found an article https://cloud.google.com/blog/topics/developers-practitioners/hands-anthos-bare-metal stating a statement
The CIDR range for my local network is 192.168.86.0/24. Furthermore, I have my Intel NUCs all on the same switch, so they are all on the same L2 network.
What is this CIDR range the writer talking about? How could we check the CIDR range of our local network in terminal? (I am using Linux Ubuntu 18 machine
Posting this answer as a community wiki as the question was addressed in the comments by #John Hanley.
Feel free to edit/expand it.
The CIDR range is determined by your network. If you look at another machine on the same network running Windows, Linux or macOS, it is fairly easy to determine. Run a network utility such as ipconfig, ifconfig, ip, etc. Look for netmask or Subnet Mask. Common values are 255.255.255.0 which is CIDR /24 or 255.255.0.0 which is CIDR /16.
There are tools on the Internet to translate from netmasks to CIDRs. In simple terms a CIDR is the number of most significant consecutive ones in a netmask. If you convert 255 to binary, that is 8 ones. Repeat. 255.255.255.0 has 24 consecutive ones.
Note that a lot of networks are not setup correctly for client machines. It is generally best to speak to someone who controls your network. The router or network switch will have the correct netmask value. Use that value if available. It is also important to know if IP addresses are static or allocated by a DHCP server and the DNS servers.
Example:
ip a (10.211.55.4/24)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
<-- OMITTED -->
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:1c:42:1a:1e:57 brd ff:ff:ff:ff:ff:ff
inet --> 10.211.55.4/24 <-- brd 10.211.55.255 scope global dynamic enp0s5
<-- OMITTED -->
A side note explanation:
By that example of network configuration the CIDR will be 10.211.55.0/24.
Jodies.de: Ipcalc
Adding to that, there is quite extensive documentation about Anthos:
Cloud.google.com: Anthos: Docs
The networking part which the question is connected with can be found here:
Cloud.google.com: Anthos: Clusters: Docs: Bare metal: 1.6: Concepts: Network requirements
Additional resources:
En.wikipedia.org: Wiki: Classless inter domain routing
It has got something to the with the Local network but I am not sure. Can anyone clear this doubt?
Essentially, in the usual IPv4 + Ethernet scenario there are three different kinds of broadcasts:
local IP broadcast to 255.255.255.255 - this broadcast reaches all nodes within the local broadcast domain; it is not forwarded by a router
directed IP subnet broadcast to the subnet address with all hosts bits set to "1", e.g. 192.168.1.255 for the 192.168.1.0/24 subnet - this broadcast reaches all nodes within the (possibly remote) subnet's broadcast domain; even though it is not forwarded by default on most routers, they are often configured to do so
Ethernet broadcast to FF:FF:FF:FF:FF:FF - this broadcast also reaches all nodes on the local broadcast domain and is the method of layer 2 transport used by the former two L3 broadcasts; a local IP broadcast directly translates to an Ethernet broadcast whereby a directed IP subnet broadcast is first routed to the destination network and then wrapped in an Ethernet broadcast by the last router
I have a dnsmasq server which I am using to serve DHCP and cache DNS. It is running on a Raspberry Pi. The range of addresses available in the pool is too small for the number of devices that regularly enter and leave the network, so I am trying to get it to serve addresses from a different subnet, but using the same gateway. but it is only allocating from one range.
There is lots of advice on how to allocate to different subnets based on which NIC is servicing the request or on mac address, but nothing on combining subnets in this way from a single NIC and having them use a single gateway. What is there suggests that the setup below should just work, but it just doesn't.
The man page is no help either.
Situation:
router/gateway: 192.168.1.1
DNS/DHCP: 192.168.1.2
reserved: 192.168.1.3-150
ON DNS Server:
/etc/network/interfaces
auto eth0
auto lo
iface lo inet loopback
iface eth0 inet static
address 192.168.1.2
gateway 192.168.1.1
netmask 255.255.0.0
network 192.168.0.0
broadcast 192.168.1.255
On DNS Server /etc/dnsmasq.conf
#/etc/dnsmasq.conf
domain-needed
bogus-priv
domain=local.net
expand-hosts
local=/local.net/
listen-address=192.168.1.2
bind-interfaces
cache-size=1000
dhcp-authoritative
dhcp-leasefile=/var/lib/dhcp/dhcpd.leases
dhcp-range=eth0,192.168.1.150,192.168.1.250,255.255.0.0,24h
dhcp-range=eth0,192.168.2.10,192.168.2.250,255.255.0.0,24h
dhcp-range=eth0,192.168.3.10,192.168.3.250,255.255.0.0,24h
dhcp-range=eth0,192.168.4.10,192.168.4.250,255.255.0.0,24h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.2
dhcp-option=42,192.168.1.2
server=8.8.8.8
server=8.8.4.4
server=208.67.220.220
The solution above tries to set up 4 vlans:
dhcp-range=eth0,192.168.1.150,192.168.1.250,255.255.0.0,24h
dhcp-range=eth0,192.168.2.10,192.168.2.250,255.255.0.0,24h
dhcp-range=eth0,192.168.3.10,192.168.3.250,255.255.0.0,24h
dhcp-range=eth0,192.168.4.10,192.168.4.250,255.255.0.0,24h
But the answer is simply to increase the range in a single vlan (of course):
dhcp-range=eth0,192.168.1.150,192.168.4.250,255.255.0.0,24h
So I have a situation in which one physical interface (as a result, one MAC) hosts several VLANs in a bond.
Seeing as the link-local address in IPv6 is generated from the MAC address all my VLANs end up with the same link-local address. This causes issues in the system.
Is this a known limitation of IPv6? Is there some accepted workaround beyond going into the kernel code and changing the way link-local addresses are assigned?
Is this a known limitation of IPv6? Is there some accepted workaround beyond going into the kernel code and changing the way link-local addresses are assigned?
No, this is not an issue, since one link-local address is affected to the physical interface and the other link-local addresses are affected to the vlan interfaces. Each link-local address can be distinguished by its associated network interface.
Here is an example:
you have an eth0 physical interface
your switch is configured to have several 802.1Q vlans on this interface:
the native vlan is, for instance, 200
the tagged vlan are 101 and 102
Therefore, you will have the following configuration for your interfaces:
% ifconfig eth0
eth0 Link encap:Ethernet HWaddr C0:3F:D5:33:13:79
adr inet6: fe80::c23f:d5ff:fe33:1379/64 Scope:Lien
% ifconfig vlan101
vlan101 Link encap:Ethernet HWaddr C0:3F:D5:33:13:79
adr inet6: fe80::c23f:d5ff:fe33:1379/64 Scope:Lien
% ifconfig vlan102
vlan102 Link encap:Ethernet HWaddr C0:3F:D5:33:13:79
adr inet6: fe80::c23f:d5ff:fe33:1379/64 Scope:Lien
Note: if you are on Linux, you should use ip address show instead of ifconfig, to use the state-of-the-art iproute2 Linux networking interface.
As you can see, the HWaddr and the link local addresses are the same.
But since a link local address need to be scoped in a vlan, there is no problem for the kernel, nor for your switch and other hosts.
To ping the link-local on vlan101, you do:
ping6 fe80::c23f:d5ff:fe33:1379%vlan101
This way, the address is associated with the interface name and no confusion is possible.