I just started trying to learn Ethereal, the free packet sniffer which seems to be very popular. There are some cryptic lines that I am having problems interpreting. For many entries the source and destination address are in hex, like this:
00000000.000048af8d6c
How does one read this? I was expecting to see IP addresses in those fields, not hex or whatever the above might be. To compound the problem the associated protocols are all Netware related. We used to run a Netware network before upgrading to Server 2003 so I assume these are old clients or networking devices still using the IPX protocol…except I can’t ID them without a real IP address. Can anyone set me straight?
Ethernet uses 48-bit source and destination addresses in each Ethernet packet. These are not IP addresses. IP is just a protocol that is layered on top of Ethernet. IP uses ARP (address resolution protocol) to map IP addresses to Ethernet addresses. If you’ve ever installed an Ethernet card, you may have noticed a sticker on the card that lists its 48-bit address in the format of 12 hexadecimal digits. Ethernet supports many other protocols besides IP, such as Novell’s IPX and NETBEUI.
The unusual numbers you see are IPX addresses. The part before the period is the IPX network number, and the part after is the IPX address of the client, which is usually the MAC address of the Ethernet interface. There is no “real” IP address. Such a statement is meaningless. Though IPX is analogous to IP, it is a seperate protocol.
Interesting…I do understand that IPX and IP are different protocols but how does one use the address information to locate the machine putting out all that data? I didn’t see any info in there that would help me identify the device. Thanks for the help!
So the last 48bits of the address is the MAC address of the node sending the packet. You can then try to run “ARP -a” from a command prompt in windows and see if your computer already has it resolved. If not then you will need to get a RARP client to resolve the IP address. The only problem is that you will need to be on the same network as the system you are trying to get the IP for. RARP requests are not routable.
I take it you mean locate physically. Same way you do it with a IP network. You go around to each possible machine and check its network address. In this case, the physical address of the network interface will do. No networking protocol I know of has a “locate machine” ability built into it. If you have remote access to a machine, which you might since you seem to be running Netware, you can do something like eject the CD tray or display a noteworthy image on the monitor. If you have IPX routers or managed switches, you might be able to check those devices and narrow it down to a certain physical network segment.