Interesting Traces - Multiple MACs for the same IP
No. Time Source Destination Protocol Info
88 15:34:15.885384 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 88 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
89 15:34:15.886319 10.1.1.254 10.1.1.57 ICMP Echo (ping) reply
Frame 89 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Kti_04:d0:10 (00:00:ef:04:d0:10), Dst: StratusC_01:7b:0b (00:04:fc:01:7b:0b)
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.57 (10.1.1.57)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
96 15:34:16.885422 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 96 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
97 15:34:16.886200 10.1.1.254 10.1.1.57 ICMP Echo (ping) reply
Frame 97 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Kti_04:d0:10 (00:00:ef:04:d0:10), Dst: StratusC_01:7b:0b (00:04:fc:01:7b:0b)
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.57 (10.1.1.57)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
103 15:34:17.885755 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 103 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
104 15:34:17.886304 10.1.1.254 10.1.1.57 ICMP Echo (ping) reply
Frame 104 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Kti_04:d0:10 (00:00:ef:04:d0:10), Dst: StratusC_01:7b:0b (00:04:fc:01:7b:0b)
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.57 (10.1.1.57)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
110 15:34:18.885619 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 110 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
111 15:34:18.886116 10.1.1.254 10.1.1.57 ICMP Echo (ping) reply
Frame 111 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Kti_04:d0:10 (00:00:ef:04:d0:10), Dst: StratusC_01:7b:0b (00:04:fc:01:7b:0b)
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.57 (10.1.1.57)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
116 15:34:19.885340 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 116 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
117 15:34:19.886045 10.1.1.254 10.1.1.57 ICMP Echo (ping) reply
Frame 117 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Kti_04:d0:10 (00:00:ef:04:d0:10), Dst: StratusC_01:7b:0b (00:04:fc:01:7b:0b)
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.57 (10.1.1.57)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
122 15:34:20.885385 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 122 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
123 15:34:20.886112 10.1.1.254 10.1.1.57 ICMP Echo (ping) reply
Frame 123 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: Kti_04:d0:10 (00:00:ef:04:d0:10), Dst: StratusC_01:7b:0b (00:04:fc:01:7b:0b)
Internet Protocol, Src: 10.1.1.254 (10.1.1.254), Dst: 10.1.1.57 (10.1.1.57)
Internet Control Message Protocol
|
Trace #2 shows 10.1.1.57 pinging two hosts, 10.1.1.203 and 10.1.1.254. I've filterd out the replies to reduce the length of the trace. 10.1.1.57 is switching between two MAC addresses with frames to 10.1.1.254 sent from 00:04:fc:01:7b:0d and frames to 10.1.1.203 sent from 00:04:fc:01:7b:0b. However this changes in frames 103 and 108, both these frames are sent using the same MAC address and then it starts switching again but now frames to 10.1.1.254 are sent from 00:04:fc:01:7b:0b and frames to 10.1.1.203 are sent from 00:04:fc:01:7b:0d.
No. Time Source Destination Protocol Info
86 15:34:15.791883 10.1.1.57 10.1.1.203 ICMP Echo (ping) request
Frame 86 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: StratusC_c1:86:a1 (00:00:a8:c1:86:a1)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.203 (10.1.1.203)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
88 15:34:15.885384 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 88 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
94 15:34:16.791709 10.1.1.57 10.1.1.203 ICMP Echo (ping) request
Frame 94 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: StratusC_c1:86:a1 (00:00:a8:c1:86:a1)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.203 (10.1.1.203)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
96 15:34:16.885422 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 96 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
101 15:34:17.791848 10.1.1.57 10.1.1.203 ICMP Echo (ping) request
Frame 101 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: StratusC_c1:86:a1 (00:00:a8:c1:86:a1)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.203 (10.1.1.203)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
103 15:34:17.885755 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 103 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
108 15:34:18.791637 10.1.1.57 10.1.1.203 ICMP Echo (ping) request
Frame 108 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: StratusC_c1:86:a1 (00:00:a8:c1:86:a1)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.203 (10.1.1.203)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
110 15:34:18.885619 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 110 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
114 15:34:19.791613 10.1.1.57 10.1.1.203 ICMP Echo (ping) request
Frame 114 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: StratusC_c1:86:a1 (00:00:a8:c1:86:a1)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.203 (10.1.1.203)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
116 15:34:19.885340 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 116 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
120 15:34:20.791628 10.1.1.57 10.1.1.203 ICMP Echo (ping) request
Frame 120 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0d (00:04:fc:01:7b:0d), Dst: StratusC_c1:86:a1 (00:00:a8:c1:86:a1)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.203 (10.1.1.203)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
122 15:34:20.885385 10.1.1.57 10.1.1.254 ICMP Echo (ping) request
Frame 122 (74 bytes on wire, 74 bytes captured)
Ethernet II, Src: StratusC_01:7b:0b (00:04:fc:01:7b:0b), Dst: Kti_04:d0:10 (00:00:ef:04:d0:10)
Internet Protocol, Src: 10.1.1.57 (10.1.1.57), Dst: 10.1.1.254 (10.1.1.254)
Internet Control Message Protocol
|
The key to understand what is happening is that 10.1.1.57 is an interface on a Windows 2003 server made up of 2 adapters teamed together using Intel's Adaptive Load Balancing mode. Take a look at Intel Network Connectivity - Teaming with Advanced Networking Services (ANS) (or just google intel ALB mode). In this mode ARPs are answered by the primary adapter so when 10.1.1.254 ARPed for 10.1.1.57's address it got 00:04:fc:01:7b:0b. Traffic may be sent from any adapter in the team, which one is used is based on the current load on the adapter and it can change when the load changes.
Send comments and suggestions