How to determine IPv4 settings on unknown network? - networking

If I connect a device via ethernet onto a switch, and do not receive an IP address via DHCP, how do I determine what the correct settings for that network should be, i.e. how do I choose a static IP address, subnet mask and gateway?
The specifics in my case are that I have an NVR with an 8 port POE switch that has 3 cameras plugged into it. I plugged my Windows 10 PC into the switch, expecting to be issued an IP address from the NVR via DHCP, but my PC was not given an IP. Perhaps the NVR assigns IPs via BOOTP? I want to get onto the network, probably by assigning a static IP that's not already used, then determine the IPs of the cameras so I can stream video from them directly using VLC.
Can I use tcpdump? There should be plenty of traffic from the cameras to the NVR.

how do I choose a static IP address, subnet mask and gateway?
The short answer - this should be done by your network administrator. If you are the network administrator - you should. But seems that you are connecting to the network you know nothing about.. Anyway here are some points that perhaps can help you.
There is a special thing called ARP Duplicate Address Detection (DAD). In Linux you can check if the particular IP is occupied in your broadcast segment with help of arping utility. From MAN page:
-D
Duplicate address detection mode (DAD). See RFC2131, 4.4.1.
Returns 0, if DAD succeeded i.e. no replies are received.
So if IP address is occupied you will see something like:
-bash-4.4# arping -D 10.0.99.99 -I eth0
ARPING 10.0.99.99 from 0.0.0.0 eth0
Unicast reply from 10.0.99.99 [DE:AD:BE:EF:00:8D] 1.274ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
If this IP address is vacant, you'll see no responses. Read about ARP ping in Windows.
Also you can inspect the network through the tcpdump (to see some IP addressing info at least in broadcast packets), nmap and some other scanning utilities, but this topic is too broad (and at the same time it's well disclosed on the Internet). Btw you have to consider network architecture difficulties: vlan and so on.

Related

network sniffer - detect subnet mask in non-DHCP network

I'm writting a simple network sniffer that should be able to reconstruct network structure.
When an interface has set up a DHCP, I can easily read interface settings such as client IP address, subnet mask, DNS server etc. by catching a DHCP packet and analysing it.
When an interface has a static IP, I'm catching ARP Announcement packet to get static IP address and then ARP request from the gateway, to get geteway IP address. I'm also saving MAC addresses.
My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address. Or by caching some packets. I didn't see packets that could have such informations.
I also need DNS address, but it's less important.
The program should work in OpenWRT (C++).
My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address.
Possibly, you can't.
If the sniffed network uses DHCP then you can monitor the DHCP requests (which should be broadcast) for their subnet mask and router fields which mirror the server's offer.
Without DHCP, all you can do is take an educated guess. If your passive sniffer registers broadcasts from addresses 192.168.1.1 through 192.168.1.29, you know that the prefix length is at most /27. It could also be anything shorter, down to /16, with potential addresses being (currently) absent or silent. The prefix could be even short than /16 if the network admin is ignoring RFC 1918. With public addresses you're mostly on your own.
If you can scan actively you could send ARP requests and see which ones get answered - you'd also see nodes that don't originate any traffic/broadcasts.
The gateway is also just a guess. In a network with mostly Internet-bound traffic, the default gateway is most likely the one being ARPed most often. If the network traffic is mostly server-centric, ARP requests for their addresses outnumber the ones for any gateway.
Your sniffer is severely limited when it is just attached to a switch and listening to broadcast packets only. If the sniffer manages to listen to all traffic on the network (via a monitoring/mirroring switch port) then you can easily identify the gateway by its MAC address that packets for arbitrary IP addresses is sent to and vice versa.
As above, if you can actively send probe packets you could test the gateway(s) with packets that they accept (and hopefully forward) and which ones they reject.

Why my routing tables stores a mac address?

I am a student learning computer network.
Here's how my network look like:
Router(NAT)
/ \
My PC My iPad
I have looked up my computer's routing table, and it shows the following:
$ netstat -r
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 172.22.128.1 UGScg en0
127.0.0.1 127.0.0.1 UH lo0
172.22.128.1 0:74:9c:96:72:55 UHLWIir en0 1200
172.22.161.13 ba:2e:b1:6f:69:39 UHLWI en0 740
I confirmed that the ip 172.22.161.13's gateway ba:2e:b1:6f:69:39 is the MAC address of my iPad.
I have a few doubts:
Shouldn't the routing table records ip address of next hop? how can it store a MAC address?
If the command netstat -r also lookups the arp table, how should it send packets to my iPad without going through the router?
The issue here is understanding the functionality of layer 2 and layer 3 in a network.
There is a difference between forwarding packets to the device located on the same subnet and on the device located on the different subnet.
I don't think there is a better definition of subnet, than devices that can communicate via a layer 2 protocol with each other. Routers are used to forward packets between devices in different subnets, that is, two devices in the same subnet do not communicate over the router, at least not over the "router" part of the router.
Devices that are located in the same subnet should be assigned the same IP prefix (i.e., the bits covered by network mask are the same). "Should" means that if it is not the case, then your network is configured wrong and may not work properly. This way your PC and your IPad can determine that they are on the same subnet and do not need to go over their default gateway.
Since your PC and your IPad are on the same subnet, they will talk to each other using layer 2. I am not sure from your configuration how many interfaces are actually wireless. If both interfaces are wireless, they may actually be capable of talking directly (i am not sure if wifi protocol in AP mode allows it, i think it does). If your PC is connected over Ethernet, then your Router also acts as a switch/bridge (which is layer 2 device) and forwards packets according to ethernet specification. You can learn about it by googling MAC learning.
This should answer the second question, now to the first one.
Actually, I wonder why the table is storing IP addresses. IP address of the next hop is not used in forwarding. First, note, that communication between devices which are two hops from layer 3 (i.e., routers) standpoint happens using layer 2. When a device makes routing decision, in takes the destination address from the IP header and looks up next hop, where what the device needs is a) outgoing interface b) how to reach next hop using layer 2 protocol of the interface. Then the device constructs an appropriate layer 2 header and sends the packet to the next hop device, which more or less does the same. So, actually your PC needs mac address of your router's interface to which it is connected to send the packet somewhere outside of the subnet.

How does a computer know other computer's IP address on a local network?

I'm currently learning about ARP and L2/L3 networking - would someone be able to help out? If I use an ethernet cable to connect my laptop (A) to another laptop (B), it could use ARP to find out B's MAC address based on B's IP address. Then, any ethernet frames could be sent and accepted by B.
But how does A know B's IP address in the first place? What if there is a switch (L2 device) in between A and B? Does this change the answer? What if there was a router in between (an L3 device)?
Usually, a switch/Router will assign an IP.
The question is unclear -
find out B's MAC address based on B's IP address.
B's MAC address is not based on B's IP.
A MAC is associated to the hardware (but somewhat assignable/cloneable) where as an IP is assigned. Either by DHCP or statically by an admin.
Effectively, you need a switch/router to make what you're defining work.
EDIT:
you can connect two computers direct, but you still need to give each a static IP address so they can find each other - this would likely not be ona network so the IP sub-network doesn't matter.
It still has very little to do with MAC.
If two PC's hand-shake, they'll see each others MAC.
It sends out a broadcast packet to the broadcast MAC address asking "who has the IP address x.x.x.x" which goes to all computers on that broadcast domain. If a computer sees that packet that owns the IP address "x.x.x.x" it will send a unicast reply back to the MAC address of the original requestor with its MAC address which will then be cached for further communication.
It doesn't know the IP unless you tell it. You say "the default gateway is 192.168.1.1" and it will start trying to talk to 192.168.1.1 etc.
If there is a router in between, all traffic to the remote device would go to the MAC of the router and your computer wouldn't be doing any ARP lookups other than that router.
Switches wouldn't matter for this, all they do is make the broadcast domain bigger. With a cable the broadcast domain is just you and the remote device. With a switch, it expands that to all devices connected to the same switch (or VLAN in the switch)
But how does A know B's IP address in the first place?
It doesn't know. At least there's no general method to find out.
The IP address of any resource needs to be supplied by "something else". You need to either provide the address yourself, resolve it from a (also provided) DNS name, read it from a file, ... Alternatively, you need to provide some kind of auto discovery between the nodes (broadcast, multicast, LLDP, ...) or provide a commonly known discovery service, registration server or similar.
What if there is a switch (L2 device) in between A and B?
That changes nothing but excludes link-level discovery (unless it's a "dumb" switch that simply forwards those frames).
What if there was a router in between (an L3 device)?
That eliminates broadcast and multicast from the picture. (Multicast could be routed but that is unlikely for discovery and I won't dive into that.)

How are MAC addresses used in routing packets?

I recently found that packets are encapsulated within ethernet frames. Packets use IP addresses, frames use MAC addresses.
Why aren't IP addresses used in ethernet frames for routing? I understand that when trying to access a basic website, the computer goes to a DNS to find the IP address relevant to the user-entered domain name. How do computers find the correct MAC address?
Really, how are MAC addresses used in routing internet traffic?
Thanks
IP packets aren't always encapsulated in Ethernet frames. There are other physical media such as ISDN, etc. When packets are routed, IP addresses are used to determine the next hop and the physical address is used to physically identify the interface serving as the next hop. Only the former (determining next-hop) is usually called routing.
To answer your second part, MAC addresses are discovered through ARP (Address Resolution Protocol) in IPv4 & ND6 (Neighbor Discovery) in IPv6.
Update:
The destination IP address in the IP header is the final destination. In the process of routing (at each hop), you get the next hop's IP address to (eventually) reach the final destination from the routing table (this could be a default gateway's IP address). To send the packet to the next hop, you need its MAC address. While hopping through intermediate links, the IP address in the IP header don't change - only the MAC addresses change.
Bit late but still here is my answer :) ...
To send data you need two address, the MAC address and the IP address.
Basically the sending host will ARP for a MAC address, this occurs when the local host doesn't know the MAC address of the host it has an IP address for or it will ARP for the default gateway MAC address (if it doesn't already know it) if the IP address in on a different subnet/ network. Once it obtains a MAC address the IP packet is encapsulated in a L2 frame and sent across the media. If the IP packet is meant for a host on a different subnet/ network, it will be sent to the default gateway, this router will de-encapsulate the L2 frame (remove and discard it) check the IP address and will forward it. For the router to do this it needs a MAC address to send it over the media, It will look up the next hop in it's routing table, encapsulate the IP packet with the same source and destination IP address that was sent from the original host into a new L2 frame. This time the MAC address for the source address will be that of the forwarding interface of the router, and the receiving interface of the next hop will be the destination MAC address. This will continue from hop to hop until it reaches the final host, each time the MAC addresses will change, but the original IP address will remain the same.
Here's the key point -- there can be more types of packets than INTERNET traffic. You could be using IPX, which is non-routable. How do clients identify each other? By the MAC address.
Routing != Addressing, which is really where the MAC comes into play.
In order to be routed, the OSI model adds a layer to allow for path discovery to the next gateway. This layer is responsible for routing, but knows nothing about the MAC address.
As a side note, at the hardware level, MAC addresses ARE used by switches, but not for routing. From How Stuff Works:
The switch gets the first packet of data from Node A. It reads the MAC
address and saves it to the lookup table for Segment A. The switch now
knows where to find Node A anytime a packet is addressed to it. This
process is called learning.
In this way, a switch can make sure that traffic is only outputted to the correct port. This isn't accomplishing routing so much as reducing network congestion. Only broadcasts and traffic destined specifically for that MAC address should be sent out the port.
Recently I have been thinking about the same and came upon this question. Here is my answer to this question. Actually MAC address is needed for correctly sending the packet to right destination. This is specially true when packet is needed to sent over a VLAN. There can be multiple switches/routes connected on that VLAN over multiple physical interfaces. However IP Routing is unaware of these physical interface. It only knows about the logical connectivity. For example, route 10.10.10.0/24 is reachable via VE/VIF0.10(logical VLAN interface) and/or nexthop neighbor is 20.20.20.1. There could be multiple interfaces under VLAN 10. Then to which interface packet is sent out? This is where ARP comes in the picture. ARP helps to discover the MAC address associated with the next-hop IP address. When switch/router learns the nexthop MAC. along with that it learns the physical interface also via which that MAC is reachable. Hence while routing packet, firstly MAC corresponding to the destination IP is searched and then the physical interface associated with that MAC is searched. Finally packet is sent out via that physical interface. The MAC corresponding to that destination IP is used as destination MAC. In absence of this, routed packets will always be flooded in the outgoing VLAN.
Hope this helps.
Thanks.
Answer: MAC addresses are not used in the process of routing of a packet.
segment -> transport layer (TCP ports)
packets -> network layer (IP addresses)
frame -> data link layer (MAC addresses)
bits -> physical layer (electric/optical signals)
Create your own packet/segment visit http://wirefloss.com/wireit/
There are 2 models (TCP/IP and ISO/OSI)
In detail:
Your app has some data. This is encapsulated by mentioned layers. Encapsulation means that a header with fields is added at each layer. If your data never leave the local network the MAC address will be the same. Once your data needs to be delivered outside your network the frame header is stripped by router and is replaced by router fields.
UPDATE 2021: Some people seems never heard of ISO OSI model and put this answer as incorrect.

How to enable forwarding for a multicast IP on the private network

I'm trying to get Age of Empires II (AoE2) to work on my LAN. AoE2 is notorious for it's connectivity problems on modern systems, probably because it used a now deprecated network framework called DirectPlay (in DX9) and the code probably wasn't robust back in the day either.
When I host a LAN game on a computer (win7) for AoE2, Wireshark shows my computer sending a couple packets via SSDP protocol to the multicast address 239.255.255.250. This actually goes to my router (for forwarding I assume) and my router returns a packet using ICMP protocol that says "Destination unreachable (Port unreachable)". Because nothing is forwarded to the other computers on the network, they can't see the game that the host has created.
I think I need to get the application/windows7 to send the packet as something like a broadcast, or I need to get the router to broadcast packets going to that multicast address. Does anyone have thoughts or suggestions on how to do this?
My router/gateway is running DD-WRT firmware v24-sp2.
My first guess is you're using wifi, by default most systems disable multicast on wifi because it can have a detrimental effect on the time slicing that wifi uses. however for just a couple machines it shouldn't be an issue.
here's how to disable multicasting but it should point you in the right direction for enabling it: ddwrt multicast
Secondly make sure they are all in the same VLAN a VLAN is defined as a "broadcast domain" meaning machines on separate VLANs will NEVER get broadcast or multicast from other VLANs without some trickery.
Lastly make sure you've enabled multicasting between LAN ports I believe the option is "multicast forward"
Edit: Just a few things to add to the list in case others have this issue. Broadcasting doesn't exist in ipv6, also a machine running ipv6 MAY NOT see broadcasts from a machine on ipv4 and a machine on ipv4 WILL NOT see multicasts to an ipv6 multi-cast address.
Have you tried LogMeIn Hamachi?
Is not a LAN client itself but it creates a fake Online-LAN and gives you a working IP that will allow you to play with who have it.

Resources