Board index Linux Networking

arp replies not seen, ping's don't echo

arp replies not seen, ping's don't echo

Post by R. DuFresn » Wed, 03 Sep 1997 04:00:00



I thought perhaps you might beable to help with a problem
here that seems to have all the "guru's" I have consulted stumped.
Here''s the layout:

 Linux darkstar 2.0.23 #3 Fri Jun 6 20:52:07 CDT 1997 i586

 I have the linux machine here, darkstar.sysinfo.com on 204.246.65.62 ppp0,
 with a 3com 509b card <called blackhole.sysinfo.com 192.168.80.1 eth0.
 The inside net has a win 3.11 and a win95 machine, 192.168.80.10 and
 192.168.80.20, both set with 192.168.80.1 <blackhole> as their gateway.  I
 can watch all the packets on 192.168.80.0/255 with various net tools,
 incuding tcpdump.  the win machines can play togeth fine.  but, blackhole
 will not recognize their packets, and they seem to not see those of
 blackhole.  So, there at this point is nothing getting masqueraded out.
 All policies for ipfw are accept, to make it as open as possible now.
 Here's the route table on blackhole, have tried others:

 Kernel routing table
Destination     Gateway       Genmask         Flags MSS    Window Use Iface
 u-2.winternet.n *            255.255.255.255 UH    1500   0        3 ppp0
 sysinfo.com     *            255.255.255.0   U     1500   0       70 eth0
 loopback        *             255.0.0.0      U     3584   0       95 lo
 default         u-2.winternet.n *            UG    1500   0      604 ppp0
 darkstar:/#

 I try to ping from one of the inside boxes to the linux server, and here's
 the tcpdump traces:

 17:08:43.454411 arp who-has blackhole.sysinfo.com tell nebula.sysinfo.com
 17:08:43.454411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42
 17:08:44.694411 arp who-has blackhole.sysinfo.com tell nebula.sysinfo.com
 17:08:44.694411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42

Here's the layout in more complete form:

        comet -|
192.168.80.10  | eth0
               |                          ppp0
               |---- blackhole/darkstar --------- ISP/internet
               |   192.168.80.1/204.246.65.62
192.168.80.20  |
        nebula-|

 Now the tcpdump traces as I ping the other way:

 17:10:22.194411 arp who-has blackhole.sysinfo.com tell nebula.sysinfo.com
 17:10:22.194411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42
 17:10:23.634411 arp who-has blackhole.sysinfo.com tell nebula.sysinfo.com
 17:10:23.644411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42
 17:10:24.654411 arp who-has blackhole.sysinfo.com tell nebula.sysinfo.com
 17:10:24.654411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42

 Yet, the inside boxes speak to one another fine:

 17:10:10.154411 arp who-has comet.sysinfo.com tell nebula.sysinfo.com
 17:10:10.154411 arp reply comet.sysinfo.com is-at 0:20:ae:4:4c:4
 17:10:10.154411 nebula.sysinfo.com > comet.sysinfo.com: icmp: echo request
 17:10:10.154411 comet.sysinfo.com > nebula.sysinfo.com: icmp: echo reply
 17:10:11.154411 nebula.sysinfo.com > comet.sysinfo.com: icmp: echo request
 17:10:11.154411 comet.sysinfo.com > nebula..sysinfo..com: icmp: echo reply
 17:10:12.154411 nebula.sysinfo.com > comet.sysinfo.com: icmp: echo request
 17:10:12.164411 comet.sysinfo.com > nebula.sysinfo.com: icmp: echo reply
 17:10:13.174411 nebula.sysinfo.com > comet.sysinfo.com: icmp: echo request
 17:10:13.174411 comet.sysinfo.com > nebula.sysinfo.com: icmp: echo reply

tcpdump -x

nebula pings to blackhole:

00:26:11.224411 arp who-has blackhole.sysinfo.com tell nebula.sysinfo.com
                         0001 0800 0604 0001 0060 9675 3388 c0a8
                         5014 0000 0000 0000 c0a8 5001 0101 0001
                         0101 0001 0101 0001 0101 0001 0101 6f6b
                         6520 3a0d 0a00
00:26:11.224411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42
                         0001 0800 0604 0002 0020 af04 4c42 c0a8
                         5001 0060 9675 3388 c0a8 5014 0101 0001
                         0101 0001 0101 0001 0101 0001 0101 6f6b
                         6520 3a0d 0a00

blackhole pings nebula:

00:34:05.154411 arp who-has nebula.sysinfo.com tell blackhole.sysinfo.com
                         0001 0800 0604 0001 0020 af04 4c42 c0a8
                         5001 0000 0000 0000 c0a8 5014 7263 312e
                         7068 6f65 6e69 782e 6e65 7420 3330 3620
                         7477 6f66 6f78
00:34:05.154411 arp reply nebula.sysinfo.com is-at 0:60:96:75:33:88
                         0001 0800 0604 0002 0060 9675 3388 c0a8
                         5014 0020 af04 4c42 c0a8 5001 0101 0001
                         0101 0001 0101 0001 0101 0001 0101 3620
                         7477 6f66 6f78
00:34:05.154411 blackhole.sysinfo.com > nebula.sysinfo.com: icmp: echo
request
                         4500 0054 c30e 0000 4001 9634 c0a8 5001
                         c0a8 5014 0800 8c26 cf22 0000 c80c e833
                         ff72 0200 0809 0a0b 0c0d 0e0f 1011 1213
                         1415 1617 1819

So we do this:

darkstar:~# arp -a
Address                 HW type         HW address              Flags
Mask
192.168.80.20           10Mbps Ethernet 00:60:96:75:33:88       C       *
darkstar:~#

Now, for shits and grins and to check for changes,
let's ping comet from blackhole and see what arp
shows:

00:38:13.934411 arp who-has comet.sysinfo.com tell blackhole.sysinfo.com
                         0001 0800 0604 0001 0020 af04 4c42 c0a8
                         5001 0000 0000 0000 c0a8 500a 5254 2023
                         686f 7273 6573 0a20 3330 3320 736d 6f6b
                         6520 3a64 696e

00:38:13.934411 arp reply comet.sysinfo.com is-at 0:20:ae:4:4c:4
                         0001 0800 0604 0002 0020 ae04 4c04 c0a8
                         500a 0020 af04 4c42 c0a8 5001 0101 0001
                         0101 0001 0101 0001 0101 0001 0101 6f6b
                         6520 3a64 696e
00:38:13.934411 blackhole.sysinfo.com > comet.sysinfo.com: icmp: echo
request
                         4500 0054 c407 0000 4001 9545 c0a8 5001
                         c0a8 500a 0800 ec3c da22 0000 c00d e833
                         905b 0e00 0809 0a0b 0c0d 0e0f 1011 1213
                         1415 1617 1819

Hmm...:

darkstar:~# arp -a
Address                 HW type         HW address              Flags
Mask
192.168.80.20           10Mbps Ethernet 00:60:96:75:33:88       C       *
darkstar:~#

Let's ping blackhole from comet:

00:40:38.684411 arp who-has blackhole.sysinfo.com tell comet.sysinfo.com
                         0001 0800 0604 0001 0020 ae04 4c04 c0a8
                         500a 0000 0000 0000 c0a8 5001 0101 0001
                         0101 0001 0101 0001 0101 0001 0101 7477
                         6f66 6f78 293a
00:40:38.684411 arp reply blackhole.sysinfo.com is-at 0:20:af:4:4c:42
                         0001 0800 0604 0002 0020 af04 4c42 c0a8
                         5001 0020 ae04 4c04 c0a8 500a 0101 0001
                         0101 0001 0101 0001 0101 0001 0101 7477
                         6f66 6f78 293a

Ahh, this is what we wanted to see, yes?:

darkstar:~# arp -a
Address                 HW type         HW address              Flags
Mask
192.168.80.10           10Mbps Ethernet 00:20:AE:04:4C:04       C       *
darkstar:~#

Now, just to see the process twen win boxen we ping comet from nebula:

00:45:22.814411 arp who-has comet.sysinfo.com tell nebula.sysinfo.com
                         0001 0800 0604 0001 0060 9675 3388 c0a8
                         5014 0000 0000 0000 c0a8 500a 0a0a 0a0a
                         0a0a 0a0a 0a0a 0a0a 0a0a 0a0a 0a0a 7065
                         1b5b 4b48 1b5b
00:45:22.814411 arp reply comet.sysinfo.com is-at 0:20:ae:4:4c:4
                         0001 0800 0604 0002 0020 ae04 4c04 c0a8
                         500a 0060 9775 3288 c0a8 5014 1414 1414
                         1414 1414 1414 1414 1414 1414 1414 7065
                         1b5b 4b48 1b5b
00:45:22.814411 nebula.sysinfo.com > comet.sysinfo.com: icmp: echo request
                         4500 003c 3b25 0000 2001 3e2d c0a8 5014
                         c0a8 500a 0800 ec51 0200 5e0a 6162 6264
                         6566 6668 696a 6a6c 6d6e 6e70 7172 7274
                         7576 7661 6263
00:45:22.814411 comet.sysinfo.com > nebula.sysinfo.com: icmp: echo reply
                         4500 003c 9762 0000 2001 e0ef c0a8 500a
                         c0a8 5014 0000 f451 0200 5e0a 6162 6264
                         6566 6668 696a 6a6c 6d6e 6e70 7172 7274
                         7576 7661 6263

And arp reports clear:

darkstar:~# arp -a
darkstar:~#

And, I am still at a loss.   Does this give you anything to go on?

Again, thanks much for the help, it's appreciated.

My best to you and yours,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

 
 
 
Top

1. Tcpdump sees "echo reply" but ping does not

If I ping  host B from A I see 95% packet loss.

However if I run tcpdump on host A then I see all
the "echo replys" arrive back from host B.

ping never seems to see the packets though tcpdump is
detecting them at the interface.

Where are they going.

2. Kill all

3. 'ping' sees route but 'telnet' doesn't??

4. How to change IP address

5. Why "ping" can't recognize the "icmp: echo reply" message ?

6. libc profiled

7. Mail problem: I don't get the 'error' replies !

8. Logitech Scrolling wheel mouse

9. ARP replies and ICMP echo responses when Linux not running.

10. logon not seen by 'w' and 'who'?

11. Odd Solaris problem: file is seen by 'vi' but not 'ls' ???

12. Ping echo reply messages not picked up by destination station

13. ping 100% loss; 'arp -a' blew up


All times are UTC
Board index