When a computer, with IP address IPs and default gateway IPg, is sending a datagram to destination with IP address IPd on a different subnet, it will perform:
a)- ARP(IPg)
b)- ARP( IPd)
c)- ARP(IPs)
d)- ARP(0)
Sending packet to another subnet actually means sending packet to gateway, since gateway is responsible for proper routing between subnets. Thus computer will perform discovery of gateway MAC address unless it's cached.
Related
When a DHCP request packet is received on router(configured with ip-helper), it redirects it to DHCP server. I would like to know that how router come to know that it is DHCP request packet. As it is defined by port no. which exist on transport layer. in Same way, how a router uses TCP port for BGP. But how could router use transport layer port no. as it is L3 device.
As Vidal said, DHCP requests are broadcast.
A host(the DHCP client), upon joining the networking will send out a DHCP discovery broadcast message. It doesn't know the address of the DHCP server, so it will talk with everyone currently connected to the network to discover if a DHCP server exists. The port is 67.
If there is a DHCP server, it will offer an IP address to the host. There might be many DHCP servers, in this case, it'll take the IP address of the first DHCP server that responded.
Once the host selects an IP address, it will send a DHCP request back to the server for that specific IP address.
The DHCP server will then acknowledge this message and confirm the DHCP lease to the client.
For a more clearer explanation, just read this article.
I'm writting a simple network sniffer that should be able to reconstruct network structure.
When an interface has set up a DHCP, I can easily read interface settings such as client IP address, subnet mask, DNS server etc. by catching a DHCP packet and analysing it.
When an interface has a static IP, I'm catching ARP Announcement packet to get static IP address and then ARP request from the gateway, to get geteway IP address. I'm also saving MAC addresses.
My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address. Or by caching some packets. I didn't see packets that could have such informations.
I also need DNS address, but it's less important.
The program should work in OpenWRT (C++).
My problem is: how to get subnet mask from one or more static IPs in the network and the gateway address.
Possibly, you can't.
If the sniffed network uses DHCP then you can monitor the DHCP requests (which should be broadcast) for their subnet mask and router fields which mirror the server's offer.
Without DHCP, all you can do is take an educated guess. If your passive sniffer registers broadcasts from addresses 192.168.1.1 through 192.168.1.29, you know that the prefix length is at most /27. It could also be anything shorter, down to /16, with potential addresses being (currently) absent or silent. The prefix could be even short than /16 if the network admin is ignoring RFC 1918. With public addresses you're mostly on your own.
If you can scan actively you could send ARP requests and see which ones get answered - you'd also see nodes that don't originate any traffic/broadcasts.
The gateway is also just a guess. In a network with mostly Internet-bound traffic, the default gateway is most likely the one being ARPed most often. If the network traffic is mostly server-centric, ARP requests for their addresses outnumber the ones for any gateway.
Your sniffer is severely limited when it is just attached to a switch and listening to broadcast packets only. If the sniffer manages to listen to all traffic on the network (via a monitoring/mirroring switch port) then you can easily identify the gateway by its MAC address that packets for arbitrary IP addresses is sent to and vice versa.
As above, if you can actively send probe packets you could test the gateway(s) with packets that they accept (and hopefully forward) and which ones they reject.
I am studying routing tables. Say you have the following line in a routing table
Destination Gateway Genmask
192.168.1.0 * 255.255.255.0
This would mean that there is no gateway for local traffic on the network and some resoures write that all the traffic on a local network is send to all hosts on the network. This raises two question:
Isn't it a security risk that every host receives all traffic, even though it is not intended for that host.
Does it slow the network when every packet is send to all hosts over either cables or wifi even though it is intended for only 1 host?
Is all traffic within a network send to all hosts?
No. Traffic sent from a host to another host in the same network is sent via layer-2, not layer-3. That means that traffic from hosts in an IP network are sent to other hosts in the same network via the layer-2, e.g. ethernet, network.
There is a protocol called ARP (Address Resolution Protocol) that is used to resolve layer-3 (IP) to layer-2 (MAC) addresses.
A host sending something to another host will mask both the source and destination layer-3 addresses with the configured host network mask. If the results are the same, it will use ARP to address the layer-2 frame with the destination host MAC address, otherwise it will use ARP to address the frame with the layer-2 address of its configured gateway.
If there is no configured gateway, the host should drop the traffic between layer-3 and layer-2.
A host will drop any traffic not sent its MAC addresses, the broadcast address, or any multicast address for which it is not subscribed.
If we are in the same network, then hop to hop communication takes place by layer-2 devices such as switches, bridges, etc. that work at the MAC layer.
But if we have to send packets to a destination in some other network then hop to hop communication takes place through routers.
Is this correct?
Your statements are conceptually correct, though the details are not quite right.
A layer 3 protocol like IP can route a packet from its source to its destination across the entire Internet, but a layer 2 protocol like ethernet can only route packets for a single hop. When a device transmits a packet on a TCP/IP network, it must know the ethernet (layer 2) address of the next hop and the IP (layer 3) address of the packet's final destination.
Let's look at the two cases you describe, using a scenario where a user on Device A knows the IP address of Device B and wants to send it a packet.
Devices on the same (unswitched) subnet
The user on Device A issues the command ping 10.1.1.23.
Device A broadcasts an ARP (layer 2) request, asking which device on its network can route a packet to IP address 10.1.1.23.
Device B recognizes the IP address as its own and answers the request by returning a packet with its IP and ethernet addresses as the source, and Device A's IP and ethernet addresses as the destination.
Now Device A has everything it needs to communicate with Device B. Every packet it transmits to Device B will have the proper ethernet and IP addresses as the destination.
Devices on the same (switched) subnet
The user on Device A issues the command ping 10.1.1.23.
Device A broadcasts an ARP (layer 2) request, asking which device on its network can route a packet to IP address 10.1.1.23.
A switch receives the packet on one of its ports and retransmits the same packet on whichever port is connected to Device B. This is the only significant difference between switched and unswitched subnets.
Device B recognizes the IP address as its own and answers the request by returning a packet with its IP and ethernet addresses as the source, and Device A's IP and ethernet addresses as the destination.
Now Device A has everything it needs to communicate with Device B. Every packet it transmits to Device B will have the proper ethernet and IP addresses as the destination.
Devices on different subnets
The user on Device A issues the command ping 8.8.8.8.
Device A broadcasts an ARP (layer 2) request, asking which device on its network can route a packet to IP address 8.8.8.8.
The address 8.8.8.8 is on a different network, so no local device recognizes the address as its own. However, a router sees the packet, checks its routing tables, and sees that it knows how to forward packets to the 8.8.8.x network. So the router replies by returning a packet that has its own ethernet address as the source.
Now Device A can communicate with Device B by sending packets that have a destination IP address of 8.8.8.8, but the router's ethernet address as their destination.
The router receives the packets because they are destined for its ethernet (layer 2) address, but it notices that their destination IP (layer 3) addresses are different from its own, and so it forwards them to whatever address is stored in its routing table.
Yes, you are correct. To access other networks (networks on a different subnet) a client will route the traffic to its default gateway, which will encapsulate the traffic and route appropriately. For communicating on the same network only a layer 2 switch is required.
I connected two machines via a network cable. I need to get an ARP request data via Wireshark. When I pinged the IP of the other machine, I get the ARP request on Wireshark. But, it is not broadcasting a message. It targets pinged IP address directly. I think a LAN with only two machines does not need to do a broadcast. Am I right? Can any one explain this to me?
Always in ARP packet, MAC address will be broadcast not IP. As it is used to learn MAC address of other host whose IP address is known, ARP packet needs to have valid IP address rather than broadcast IP. You can check ARP packet example at below path:
http://wiki.wireshark.org/AddressResolutionProtocol
Hope this clears your doubt.