On Fri, Aug 18, 2000 at 03:25:02PM -0400, Andrew Brown wrote:
> when examining an arp packet, and accounting for proxy arp, there are
> two different ethernet addresses i'd like to be able to examine.  or
> print.
> 
> the first is, of course, ar_sha, which is the actual hardware address
> to which subsequent ip datagrams will be sent.  usually this is
> enough.
> 
> the other is the source address in the ethernet header itself.  in the
> case of faulty proxy arp, this is the machine which is actually doing
> the damage to the network, but as far as i can tell, nothing in the
> arp layer actually logs this address anywhere, leaving the actual
> culprit a mystery.
> 
> it strikes me, though, that the ethernet layer strips off the ethernet
> header before passing it up, so this piece of information is lost.  or
> is it?

Thats right. The reason is, that there are quite different hardware types 
possible... implenetned in NetBSD, at least

- Ethernet/FDDI (always 2*6bytes MAC and 2 bytes protocol type)
- Token Ring (2*6bytes MAC + source routing chain + see above)
- ARCnet (3, 6, or 10 byte header with 1 byte HW addresses)

The inner ARCnet packet contains all of this, + length indications, so that
it can be handled type independent. 

I guess a hardware layer (if_arcsubr.c, if_ethersubr.c etc.) could have an
option to log inner address != outer address.

For the special case of Ethernet, you can quickly wire up a BPF filter to 
log those events, if you need them *now*.

Regards,
	-is