[ale] can anyone provide a thumbnail sketch of how arp is supposed to work ?

Joseph A Knapka jknapka at earthlink.net
Mon Apr 22 00:30:38 EDT 2002


Courtney Thomas wrote:
> 
> Thank you for your insight.
> 
> My nsswitch file was as you suggested and /etc/hosts does in fact
> contain all the hosts. But one curiosity I observed in /etc/hosts was
> that one host was duplicated. What program automatically added the host
> that I had already entered ?
> 
> Freebsd is the router for the host [debian2.4.17] and looking at the
> host tcpdump [-i eth0] output it seems that the router is going out on
> the web when debian needs it's arp cache refreshed. But I don't pretend
> to know the details of how all this should work and may be
> misinterpreting what I'm looking at here.

That is really weird. The way ARP is supposed to work is
just this:

Host A (IP a.b.c.d) is trying to send a packet to host
B (IP w.x.y.z). If w.x.y.z is not on the same physical
subnet as a.b.c.d, then host A looks up in its route
table the IP address of the proper router to which
to send the packet; that router *must* be
a host on the same physical subnet. Call the router
host R, IP a.b.c.r. Thus, all Ethernet packets on
a particular physical net segment are definitely
addressed to other Ethernet addresses on the same
segment.

Host A must then find the Ethernet hardware address
(MAC address) of the router; it does this by broadcasting
an ARP request (as an Ethernet broadcast; not to be
confused with an IP broadcast). The ARP request just
says, "Someone needs to know the Ethernet address of
the host with IP address a.b.c.r". Host R receives
this request (as does every other host on the physical
segment, since it's an Ethernet broadcast), notices
that it's a request for its IP, and broadcasts a reply
packet that says, basically, "I'm IP a.b.c.r; my Ethernet
address is 7.8.9.0.1.2." All hosts that receive such
replies cache them, so ARP traffic should amount to a
very trivial percentage of local net traffic.

The other possibility is that there's some proxy-ARP
traffic happening. Proxy-ARP is used when there are
hosts on different physical segments that happen to
be the same logical IP subnet. In that case, the hosts
that manage traffic between segments must respond to
ARP requests for hosts on the other segment. It would
be rather surprising if that were the case here. What
kind of connection do you have to your ISP? DSL, cable,
or what? Does your Debian box have a public IP address,
or is the FreeBSD box doing NAT for you? If the
latter, proxy-ARP is almost certainly not going to
be involved.

Cheers,

-- Joe
  Using open-source software: free.
  Pissing Bill Gates off: priceless.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list