Interesting Traces - ARP returns the broadcast address

Blue Bar separator


A host ARPs the address 192.168.1.7 and gets back the broadcast address instead of a regular MAC address. This is a trace from the Stratus VOS packet_monitor utility. 
11:25:02.081 Xmit Ether Dst ff:ff:ff:ff:ff:ff  Src 00:00:a8:80:63:01 Type 0806 (ARP)
ARP Req Target 192.168.1.7    Src  192.168.1.3    [00:00:a8:80:63:01]

11:25:02.085 Rcvd Ether Dst 00:00:a8:80:63:01  Src 00:05:00:b8:05:d7 Type 0806 (ARP)
ARP Rep Target 192.168.1.3    [00:00:a8:80:63:01] Src  192.168.1.7    [ff:ff:ff:ff:ff:ff]
A close look at the source of the ARP reply indicates that it is most likely a router (00:05:00 == Cisco). It actually is a Cisco 3000 series VPN concentrator (model unknown).

It turns out that the host sending the ARP for 192.168.1.7 had the wrong subnet mask. It was set to 255.255.255.0 but in reality it should have been 255.255.255.248. This of course would make 192.168.1.7 the IP broadcast address. The Cisco VPN concentrator had the correct subnet mask set and did a proxy ARP repling with the correct Ethernet address, which is ff:ff:ff:ff:ff:ff.

For those familar with the VOS operating system, the TCP_OS stack places the following error in the system syserr_log when it receives the above ARP reply. 

          00:03:52  TCP: arp: ether address is broadcast for IP address C0A80107!
The C0A80107 is the hex value of the address 192.168.1.7

Blue Bar separator
This page was last modified on 03-07-18
mailbox Send comments and suggestions
to ndav1@cox.net