Re: newbie MAC->IP question

["Thierry Emmanuel" <Emmanuel.Thierry () technicolor com>]

To achieve the explanation of János Löbb and Guy Harris (I don't know if it was clear) :
Pure switches don't have (and don't need) IP addresses. A basic switch is a network equipment designed to work only 
with Ethernet (Layer 2) traffic and theorically ignore IP traffic (Layer 3).

We can sum up an IP connection as this (use a monospace police):
#   End user       #       # Switch  #     # Router #       # End user#
|Application (L4+) | <====================================> | App. |
|IP traffic  (L3)  | <====================> (relay ) <====> | IP   |
|Ethernet    (L2)  | <====> (relay ) <====> | Eth. | <====> | Eth. |
|Physical    (L1)  | <====> | Phy. | <====> | Phy. | <====> | Phy. |

Switch doesn't see IP traffic and doesn't show its Ethernet address and doesn't need to show its existence at L2 level. 
Router doesn't show its IP address and doesn't need to show its existence at L3 level.

I hope this explanation will help you to understand the structure of a network.

Best Regards


-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris
Sent: samedi 19 juin 2010 21:47
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] newbie MAC->IP question


On Jun 18, 2010, at 7:22 AM, János Löbb wrote:

> Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not 
> show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP 
> address.

I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the 
IP address of the router?  (That is, of course, as it should be.)

> Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be 
using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, 
would be to either

        1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC 
address;

        2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody 
responds;

        3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

> I looked at man arp, but I do not see it there either and arp -a do not show the router.

"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that 
router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that 
router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly 
won't have it.)

> P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?

You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to 
capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe