Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!decvax!decwrl!ucbvax!MITRE-BEDFORD.ARPA!bjp
From: bjp@MITRE-BEDFORD.ARPA.UUCP
Newsgroups: mod.protocols.tcp-ip
Subject: Mysterious ARP behavior on a tcp-ip ethernet
Message-ID: <8607311932.AA09122@mitre-bedford.ARPA>
Date: Fri, 1-Aug-86 00:08:16 EDT
Article-I.D.: mitre-be.8607311932.AA09122
Posted: Fri Aug  1 00:08:16 1986
Date-Received: Fri, 1-Aug-86 08:41:30 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The MITRE Corp., Bedford, MA
Lines: 39
Approved: tcp-ip@sri-nic.arpa


	I am looking to see if anyone out there can give me some information
on what might be going on with our network.  We have a 500 meter ethernet
cable hooking together several sun workstations, a pc, a couple of Celerities,
random other machines, an appletek bridge that gets us to a broadband
cable with much else on it.  TCP/IP are the networking protocols used and arp
is used for address translation of IP internet addresses to 48 bit ethernet
addresses.  Some folks noticed bursts of ethernet broadcast messages
recieved by an IBM PC that occured at intervals sometimes 15 seconds,
sometimes 1 minute appart.

	I took a nutcracker and examined the traffic and took samples of the
traffic including bursts of broadcast packets.  I captured 128 octet slices
of each packet in the traffic sample.  I disassembled the hex codes to
identify MAC frame fields and their contents, including the data field where
I found either ip header info, or arp header info.

	Here is what I found.  There were about 30 packets in each burst.
Each was an arp request packet sent by a particular host looking for the
ethernet address for 192.12.120.255 (255 is a reserved assigned number
when in the host field means all hosts on 192.12.120, which is our network,
mitre-b-net).  This looked absurd - arp broadcasting to seek the ethernet
address of what looked to me like an Internet style broadcast address
for our network.  Without fail this burst of arp mischief was preceded
with an ethernet broadcast packet with an ip packet in its data field whose
source address was either one of two guilty hosts and whose destination
address was 192.12.120.255.  One of the hosts is our gateway to the
arpanet, milnet and many other wonderful places in the world.

	The plot thickens.  I examined the translation tables on several hosts
and found the internet address 192.12.120.255 with a big ? where an ethernet
address would have been if arp had a sensible internet address for a specific
target host to work with.

	Does anyone know why IP would do such a thing.  Is this how IP
forwards? If this is legitimate forwarding then why do arps do silly
things with it?

					bj Pease