Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: No Arp entry after broadcast ping

No Arp entry after broadcast ping 13 years 3 months ago #282

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Posts: 521
  • Karma: 0
I was testing a machine here and tried to do a broadcast ping (my PC is 192.168.122.7, so I did - ping 192.168.120.255).

I got back the expected response of:
*******************************************
Pinging 192.168.122.255 with 32 bytes of data:

Reply from 192.168.122.255: bytes=32 time=10ms TTL=60
Reply from 192.168.122.255: bytes=32 time<10ms TTL=60
Reply from 192.168.122.255: bytes=32 time<10ms TTL=60
Reply from 192.168.122.255: bytes=32 time<10ms TTL=60

Ping statistics for 192.168.122.255:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 2ms

C:WINNTsystem32>
*********************************************

But when I did an "arp -a" - I get:
********************************************
C:WINNTsystem32>arp -a
No ARP Entries Found

C:WINNTsystem32>
*******************************************

I thought this would put an entry in my arp table (at least was what I was told - and that this message meant that the ping failed and that I most probably had a data link problem, which is not the case). When I look at it with my Analyser, I can see the ping and my workstation responding (I also noticed the my other workstation - 192.168.122.11 - was not in the arp list either).

The same thing happened on the other workstation when I did a broadcast ping from that machine.

What am I misunderstanding here?

Thanks,

Tom.
Thanks,

Tom
The administrator has disabled public write access.

No Arp entry after broadcast ping 13 years 3 months ago #283

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
tfs,

It's really interesting to see what happens when you try and ping a subnet's broadcast IP address, but you need to have a few hosts on the network and a packet sniffer to see the effect.

When your workstation sends the ping, it will receive a reply from almost every workstation on your network that sees the icmp echo request!

I just tried it here with my workstation and saw my workstation sending a icmp echo request to 192.168.1.255, and then it received an icmp echo reply from 13 hosts, incuding our linux servers, print servers , workstations and various other network devices.

When I tried the arp -a command, not all of them showed up in the arp table.

I'm not sure why they didn't show up, it must be something to do with the way Windows handles the arp table and how it chooses to maintain an entry;

If you get to find out more about it, let us know!

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

Re: No Arp entry after broadcast ping 13 years 2 months ago #744

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
I just replicated the test here and sure enough not all machines responded to the broadcast ping, This is a vendor implementation thing.. i quote from Microsoft Knowledge Base Article - 137421 :

"If the PING command is used to a broadcast address, some devices will respond. "

RFC-1122 (Section 3.2.2.6 Echo Request/Reply) discusses pinging a broadcast address:

"An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded."

This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms."

Windows NT 3.5 computers do not reply to these PING Echo Requests. Novell 3.12 Servers send an Echo Reply.


or it could be something on the lines of a personal firewall dropping your ping packets at the other hosts ??

You might also try pinging more than just five times..
I'd say fire up the sniffer, set the ping -t for a reasonable amount of time... you might want to filter ICMP echo request out of the sniffer output or it'll be crazy to read.

Then have a look at what you get back.

Hope that solves it.

Cheers,
Sahir.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: No Arp entry after broadcast ping 13 years 2 months ago #778

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Posts: 521
  • Karma: 0
Sahirh,

I would agree with you here (and I can't remember all of what happened as I did this months ago), except that I was getting a ping response. I think the RFC you quoted mentioned that the ICMP request (Ping) might be silently discarded. If that was the case, I wouldn't get a response ( at least I wouldn't think I would - and could be wrong here).

Thanks,

Tom.
Thanks,

Tom
The administrator has disabled public write access.

Re: No Arp entry after broadcast ping 13 years 2 months ago #791

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Thats a valid point, but remember, when you ping a broadcast address as long as even one machine answers the ping, you'll get a response.. and one machine was returning the request... a machine that you already know the mac address of - your workstation :)

My conclusion would be that your machine was the only one responding to the ping .. giving you a response.. the others were for some reason dropping the echo request

Sahir.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: No Arp entry after broadcast ping 13 years 2 months ago #805

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Posts: 521
  • Karma: 0
You may be right there (as I said I did this months ago, so I can't remember what my analyser was telling me).

It seems that one of the other machines was answering, but I would have to set it to test it again (I may do this later, as I would like to know if this is the case, just for grins).

Thanks,

Tom.
Thanks,

Tom
The administrator has disabled public write access.
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup