Subject: Re: mbuf and network question...
From: Ignatios Souvatzis <firstname.lastname@example.org>
Date: 08/18/2000 22:07:33
On Fri, Aug 18, 2000 at 03:25:02PM -0400, Andrew Brown wrote:
> when examining an arp packet, and accounting for proxy arp, there are
> two different ethernet addresses i'd like to be able to examine. or
> the first is, of course, ar_sha, which is the actual hardware address
> to which subsequent ip datagrams will be sent. usually this is
> the other is the source address in the ethernet header itself. in the
> case of faulty proxy arp, this is the machine which is actually doing
> the damage to the network, but as far as i can tell, nothing in the
> arp layer actually logs this address anywhere, leaving the actual
> culprit a mystery.
> it strikes me, though, that the ethernet layer strips off the ethernet
> header before passing it up, so this piece of information is lost. or
> is it?
Thats right. The reason is, that there are quite different hardware types
possible... implenetned in NetBSD, at least
- Ethernet/FDDI (always 2*6bytes MAC and 2 bytes protocol type)
- Token Ring (2*6bytes MAC + source routing chain + see above)
- ARCnet (3, 6, or 10 byte header with 1 byte HW addresses)
The inner ARCnet packet contains all of this, + length indications, so that
it can be handled type independent.
I guess a hardware layer (if_arcsubr.c, if_ethersubr.c etc.) could have an
option to log inner address != outer address.
For the special case of Ethernet, you can quickly wire up a BPF filter to
log those events, if you need them *now*.