Interesting Traces - IP Address bleed through
This trace was created on a Shomiti Surveyor 4.0 by selecting "Print to File" and the "Summary" format. It was taken on the 10.1.1.0 segment. Note that the frames 71, 72, 74 and 75 show typical ping traffic with ping requests from 10.1.1.103 and replies from 10.1.1.203. However frames
70
and
73
are comming from
172.16.1.104, A closer inspection shows that both 172.16.1.104 and 10.1.1.103 have the same MAC address, 000347DDA72B. This could be a simple case of routing except that both addresses belong to different interfaces on the same host and 172.16.1.104 is sending to the limited boradcast address of 255.255.255.255 which should not be forwarded by any router.
----------------------------- Frame ID: 70 -----------------------------
Frame arrived at 03/19 13:49:12.846369, Frame Status: (Good Frame)
000347DDA72B --> BROADCAST
172.16.1.104 --> BROADCAST
Ev2 ET=0x0800:
IP PRO=UDP ID=9843 LEN=1500:
UDP SP=3068 DP=8000 LEN=1480:
----------------------------- Frame ID: 71 -----------------------------
Frame arrived at 03/19 13:49:13.594938, Frame Status: (Good Frame)
000347DDA72B --> Stratus C181DE
10.1.1.103 --> 10.1.1.203
Ev2 ET=0x0800:
IP PRO=ICMP ID=9859 LEN=60:
ICMP Echo Request:
----------------------------- Frame ID: 72 -----------------------------
Frame arrived at 03/19 13:49:13.595089, Frame Status: (Good Frame)
Stratus C181DE --> 000347DDA72B
10.1.1.203 --> 10.1.1.103
Ev2 ET=0x0800:
IP PRO=ICMP ID=278 LEN=60:
ICMP Echo Reply:
----------------------------- Frame ID: 73 -----------------------------
Frame arrived at 03/19 13:49:13.846143, Frame Status: (Good Frame)
000347DDA72B --> BROADCAST
172.16.1.104 --> BROADCAST
Ev2 ET=0x0800:
IP PRO=UDP ID=9867 LEN=1500:
UDP SP=3068 DP=8000 LEN=1480:
----------------------------- Frame ID: 74 -----------------------------
Frame arrived at 03/19 13:49:14.594894, Frame Status: (Good Frame)
000347DDA72B --> Stratus C181DE
10.1.1.103 --> 10.1.1.203
Ev2 ET=0x0800:
IP PRO=ICMP ID=9869 LEN=60:
ICMP Echo Request:
----------------------------- Frame ID: 75 -----------------------------
Frame arrived at 03/19 13:49:14.595043, Frame Status: (Good Frame)
Stratus C181DE --> 000347DDA72B
10.1.1.203 --> 10.1.1.103
Ev2 ET=0x0800:
IP PRO=ICMP ID=279 LEN=60:
ICMP Echo Reply:
This turns out to be standard behavior for a Windows 2000/2003/XP system. If an application sends a packet to the limited boardcast address of 255.255.255.255 it will be transmitted out of all interfaces AND it will use as the source IP address the IP address of the first 255.255.255.255 route in the routing table.
C:\ route print
. . .
Active Routes:
Network Destination Netmask Gateway Interface Metric
. . .
255.255.255.255 255.255.255.255 172.16.1.104 172.16.1.104 1
Default Gateway: 172.16.1.254
===========================================================================
Persistent Routes:
None
While you cannot completely stop this behavior in Windows 2000 you can control the route and so control what IP address is used. The trick is to disable interfaces until the route you want is displayed and then you can reenable the interfaces. This doesn't appear to work on Windows 2003.
According to Microsoft support this is how they designed it to work.
This page was last modified on 04-03-19
Send comments and suggestions
to ndav1@cox.net