<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.3790.2491" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi all.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks for the answers.</FONT></DIV>
<DIV><FONT face=Arial size=2>At least now i know why it doesnt
work.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Regards</FONT></DIV>
<DIV><FONT face=Arial size=2>J. Thomsen, Denmark</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>----- Original Message ----- </DIV>
<DIV><B>From:</B> <A title=Steighton_Haley@mcafee.com
href="mailto:Steighton_Haley@mcafee.com">Steighton_Haley@mcafee.com</A> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=winpcap-users@winpcap.org
href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Monday, October 17, 2005 11:18
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Winpcap-users] Rarp Packets
!?</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2>Reverse ARP is a predecessor to BOOTP, on which DHCP is based.
Generally, the spec. requires an *authoritative* response (hence the questions
about a RARP server). It may very well be that there are TCP/IP
implementations out there which will respond to RARP packets in the way you
describe, but I have yet to find any.</FONT></SPAN></DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2>Besides, RARP (because of it's associations with BOOTP), is totally the
wrong thing to use... what you *really* want is INVARP which was invented for
use by ATM switches so that their IP addresses could be queried directly based
on MAC address. But, again, nobody outside of the ATM community
implements INVARP in their TCP/IP stack.</FONT></SPAN></DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2>Effectively, what this means is that there is *no way* within the scope
of the standard protocols to force a system whose MAC address you know to
tell you it's associated IP address.</FONT></SPAN></DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2>There may be a way to do it outside of the standards (maybe by crafting
an ICMP packet with a bogus IP and sending it directly to the system.. .and
then reading the real IP out of the reply..), but that would have
unpredictable results...</FONT></SPAN></DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2>Anyway, sorry to continue the bad news :-(</FONT></SPAN></DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=160281221-17102005><FONT face=Arial color=#800080
size=2>SLH.</FONT></SPAN></DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #800080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> winpcap-users-bounces@winpcap.org
[mailto:winpcap-users-bounces@winpcap.org] <B>On Behalf Of
</B>winpcap<BR><B>Sent:</B> Thursday, October 13, 2005 3:21 AM<BR><B>To:</B>
winpcap-users@winpcap.org<BR><B>Subject:</B> [Winpcap-users] Rarp Packets
!?<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2>Hi everyone.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>This might not be the correct place for this,
but here it goes.</FONT></DIV>
<DIV><FONT face=Arial size=2>I have made a little program using winpcap to
send rarp packets,</FONT></DIV>
<DIV><FONT face=Arial size=2>to find out the ip address of a specific mac
address.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>When i have assembled my rarp packet i send it
via winpcap.</FONT></DIV>
<DIV><FONT face=Arial size=2>I am using ethereal to check if my
packets are correctly put together,</FONT></DIV>
<DIV><FONT face=Arial size=2>and according to ethereal, they
is. The packets that i send can nicely be</FONT></DIV>
<DIV><FONT face=Arial size=2>seen in ethereals window, with the correct
addresses and opcodes.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now, the problem is that i never get a
reply.</FONT></DIV>
<DIV><FONT face=Arial size=2>According to rfc 903 rarp is mostly used for
diskless systems to find</FONT></DIV>
<DIV><FONT face=Arial size=2>out their ip when they boot.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>I have tried any combination of arp/rarp type
(0x0806 and 0x8035) and</FONT></DIV>
<DIV><FONT face=Arial size=2>any of the opcodes (1..4).</FONT></DIV>
<DIV> </DIV>
<DIV>Now, the question remains, are normal workstations/servers not
supposed</FONT></DIV>
<DIV><FONT face=Arial size=2>to answer rarp packets? I have a mixed
environtment with 50++ computers,</FONT></DIV>
<DIV><FONT face=Arial size=2>windows workstations, windows servers and linux
servers...</FONT></DIV>
<DIV><FONT face=Arial size=2>None of these answer my rarp
packets.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Hopefully someone can shed some light on
this.</FONT></DIV>
<DIV><FONT face=Arial size=2>Thanks.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>J. Thomsen, Denmark.</FONT></DIV></BLOCKQUOTE>
<P>
<HR>
<P></P>_______________________________________________<BR>Winpcap-users
mailing
list<BR>Winpcap-users@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-users<BR></BLOCKQUOTE></BODY></HTML>