(Network) Identifying the next node's MAC address.

01000101 · Post by **01000101** » Thu Sep 27, 2007 5:18 pm

Hi,

I recently succeeded in re-broadcasting captured packets.

Now I would like to take on a new project, but first I must find a way to get the MAC addresses of nodes only one hop away from my custom machine.

node A <------> MyComp <-----> Node B

basically, in the setup above, i would like MyComp to be able to get the MAC addresses of Node's A and B.

bontanu · Post by **bontanu** » Thu Sep 27, 2007 6:13 pm

Check for "ARP"

Brynet-Inc · Post by **Brynet-Inc** » Thu Sep 27, 2007 6:22 pm

AFAIK one cannot directly query hosts on a network for their MAC address..

I recommend reading the following Wikipedia articles...
http://en.wikipedia.org/wiki/Address_Re ... n_Protocol
http://en.wikipedia.org/wiki/Internet_Protocol

Have fun..

EDIT: Darn, bontanu posted before me..

Kevin McGuire · Post by **Kevin McGuire** » Fri Sep 28, 2007 3:06 am

When you use the word hop it tells me the packet passed through a layer three network device and this would prevent you from getting the MAC address the machine, but just in case you are referring to the actual proximity of the computer then like Brynet-Inc and bontanu said a ARP request packet will do this.

01000101 · Post by **01000101** » Fri Sep 28, 2007 10:43 am

I have read up on arp, but I only need to know the addresses of the 2 physically closest daisy-chained nodes. I have a feeling that it isn't going to be possible without knowing the pre-existing IP addresses.

Brendan · Post by **Brendan** » Fri Sep 28, 2007 11:24 am

Hi,

01000101 wrote:I have read up on arp, but I only need to know the addresses of the 2 physically closest daisy-chained nodes. I have a feeling that it isn't going to be possible without knowing the pre-existing IP addresses.

What do you mean by "daisy chained"? Usually this means 2 network cards (or serial ports or whatever) per device, where one network card connects to the previous thing in the chain and the other network card connects to the next thing in the chain. For example:

Code: Select all

  A----B----C

Modern ethernet uses a "star" configuration (several computers connected to a switch or hub, where the switch or hub is transparent). For example:

Code: Select all

  HUB---A
   | \
   |  B
  C

Old ethernet (10base2) used a "bus" configuration (one coax cable connecting several computers, with 'T' pieces at each computer). For example:

Code: Select all

 +-A
 |
 +-B
 |
 +-C

There used to be something called token ring networks which were "daisy chained" in a circle (and packets went in one direction only). The problem here is lag and fault tolerance - if there's 10 computers in the ring and computer0 wants to send a packet to computer9, then computer0 sends it to computer1, which sends it to computer2, which sends it to computer3, etc; and a single broken cable brings the entire network down. BTW token ring isn't ethernet (it used it's own token ring network adapters) and they're very obsolete now.

For ethernet, typically a computer sends a broadcast packet (that is received by everything on the same hub/switch or bus) and other computers can get it's MAC address from the packet's header (including the DHCP server)....

Cheers,

Brendan

01000101 · Post by **01000101** » Fri Sep 28, 2007 11:51 am

Yes, I am aware of the modern star configuration and the older BNC cards, and believe me, I am not going for a token-style configuration.

I was unaware though, of the broadcast packet containing the MAC address. Although that is helpful, the situation I am in, is that I am trying to create a transparent machine that only communicates to the two devices that it is physically connected to.

and yes, you are correct about the daisy-chaining as the computer I am using is communicating on two NICs. One dedicated to the 'IN' of node B, and the 'OUT' to node A. and vicaversa for the other card.

I only wish to talk to those two machines.

Kevin McGuire · Post by **Kevin McGuire** » Fri Sep 28, 2007 7:26 pm

I was unaware though, of the broadcast packet containing the MAC address. Although that is helpful, the situation I am in, is that I am trying to create a transparent machine that only communicates to the two devices that it is physically connected to.

I think you are saying you would like to detect the MAC address of these two machines, and this is possible by doing an ARP scan of the IP subnet that these two machines are on. The only other way I know of is to just listen for data coming from one and then store it's MAC address.

So it's:

Do a ARP broadcast scan of the IP subnet.
Listen for frames from machines on that segment.

I know of no way to force a network card to reveal it's MAC address. I also know of no way to force the operating system to identify unless it replies to ARP requests which is not forced at all. You may in a case such as this simply have to wait for the machine to talk. It seems that most machines now days at least talk once when they boot (unless network booting is disabled), and always (at least if it is a respectable IP implement) will issue an ARP request before binding to the IP address it is about to use. Or, is it an ARP reply. Not sure since it has been quite a few months and I easily forget what is not needed to be remembered quickly.

Oh. I do forget that there also exists something that may make a network reveal it's MAC address. It has something to do with unicast frames? Might be worth looking into. It is somehow used to detect computers running network sniffers in which the card is placed into promiscuous mode and I think may or some how does work even if the operating system is disabled from using the card while it captures/sniffs.

Brynet-Inc · Post by **Brynet-Inc** » Fri Sep 28, 2007 7:44 pm

Most modern operating systems send out an initial ARP packet "announcing" their presence on a subnet..

If you're developing your own OS, You'll want to implement support for ARP.. developing your own standards is not a very good idea..

Good luck & Have fun..

http://wiki.wireshark.org/Gratuitous_ARP

EDIT: Even if you're not going to use IP addresses, at least implement ARP.. It's entirely independent...

01000101 · Post by **01000101** » Fri Sep 28, 2007 10:43 pm

Thanks for the replies.
I believe the verdict is that it is not possible.. or not likely to be able to 'hone-in' on two nodes without more information (either an IP or a MAC addy), so then I shall pose a more attainable question.

How would I go about finding the default gateway of a local subnet?
Does the gateway broadcast to me, or would I have to announce my presence and wait for a response?

Kevin McGuire · Post by **Kevin McGuire** » Sat Sep 29, 2007 3:50 am

That is also a problem as a gateway (default or not) is not forced to announce it's presence. Although some use dynamic routing protocols that you can listen for and may even optionally broadcast there services such as (UPNP from a wireless router).

The DHCP is a example of the default gateway being announced, but it does not necessarily mean that the DHCP contains a default gateway valid field or is present as a service in the network. But, to be honest I think DHCP is likely the best bet as this seems to be the standard way on IP networks for client's to locate the gateway or aquire IP addresses.

01000101 · Post by **01000101** » Sun Sep 30, 2007 5:38 pm

well I took the DHCP thing into consideration
and after a hard days work (haha riiight)
I've got handlers for ARP, RARP, IP->UDP, IP->TCP, BOOTP, and DHCP with all successful responses appropriate to their function.

With the DHCP I was able to get the IP of the gateway, whether it be default or not. That is deffinately a step in the right direction.