[Winpcap-users] Rarp Packets !?

Steighton_Haley at McAfee.com Steighton_Haley at McAfee.com
Mon Oct 17 21:18:38 GMT 2005 

Reverse ARP is a predecessor to BOOTP, on which DHCP is based.
Generally, the spec. requires an *authoritative* response (hence the
questions about a RARP server).  It may very well be that there are
TCP/IP implementations out there which will respond to RARP packets in
the way you describe, but I have yet to find any.
 
Besides, RARP (because of it's associations with BOOTP), is totally the
wrong thing to use... what you *really* want is INVARP which was
invented for use by ATM switches so that their IP addresses could be
queried directly based on MAC address.  But, again, nobody outside of
the ATM community implements INVARP in their TCP/IP stack.
 
Effectively, what this means is that there is *no way* within the scope
of the standard protocols to force a system whose MAC address you know
to tell you it's associated IP address.
 
There may be a way to do it outside of the standards (maybe by crafting
an ICMP packet with a bogus IP and sending it directly to the system..
.and then reading the real IP out of the reply..), but that would have
unpredictable results...
 
Anyway, sorry to continue the bad news :-(
 
SLH.


________________________________

	From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of winpcap
	Sent: Thursday, October 13, 2005 3:21 AM
	To: winpcap-users at winpcap.org
	Subject: [Winpcap-users] Rarp Packets !?
	
	
	Hi everyone.
	 
	This might not be the correct place for this, but here it goes.
	I have made a little program using winpcap to send rarp packets,
	to find out the ip address of a specific mac address.
	 
	When i have assembled my rarp packet i send it via winpcap.
	I am using ethereal to check if my packets are correctly put
together,
	and according to ethereal, they is. The packets that i send can
nicely be
	seen in ethereals window, with the correct addresses and
opcodes.
	 
	Now, the problem is that i never get a reply.
	According to rfc 903 rarp is mostly used for diskless systems to
find
	out their ip when they boot.
	 
	
	I have tried any combination of arp/rarp type (0x0806 and
0x8035) and
	any of the opcodes (1..4).
	 
	Now, the question remains, are normal workstations/servers not
supposed
	to answer rarp packets? I have a mixed environtment with 50++
computers,
	windows workstations, windows servers and linux servers...
	None of these answer my rarp packets.
	 
	Hopefully someone can shed some light on this.
	Thanks.
	 
	J. Thomsen, Denmark.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20051017/0cdca78b/attachment.htm

More information about the Winpcap-users mailing list