[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-sparc
Subject:    JavaStation / tcpdump
From:       SparcLinux Mailing list <sparclinux () atari-source ! com>
Date:       2001-05-11 13:43:23
[Download RAW message or body]


The following is a TCPdump log... it's amazing how much traffic we get, it
was hard to see anything occuring on the local net with all the external
DNS lookups, etc. going on.  I grepped the log to show only lines
containing internal hostnames, IP addresses or MAC addresses.

I realize that by giving out my real IP addresses, etc., I am asking for
someone to attack me, but oh well ;)

For some background:
"Sparcy" is our main server, it does master DNS, email, etc.  I know I'm
creative, but it's a Sparc machine running linux.
"Piku" is also a Sparc machine running linux.  Piku is a sort-of sand-box
machine.  Piku is the machine I am trying to set up to boot the
Javastation from.
Normally the IP the JavaStation is using is assigned to another machine
(An Atari TT!), but I took that off the network for now, so I could re-use
the IP address temporarily.

08:34:28.473165 arp who-has sparcy (0:0:0:0:0:1) tell piku.atari-source.com
08:34:28.474058 arp reply sparcy is-at 8:0:20:c0:ff:ee
08:34:28.474303 piku.atari-source.com.1036 > sparcy.domain: 1220+ (43)

... bunch of these DNS lookups, going to the root servers and back, I
odn't know why...

08:34:33.470139 arp who-has 64.81.213.1 tell sparcy
08:34:33.475349 piku.atari-source.com.1036 > sparcy.domain: 1224+ (42)
08:34:33.477935 sparcy.domain > piku.atari-source.com.1036: 1224 NXDomain* 0/1/0 (96)
08:34:33.537925 arp reply 64.81.213.1 is-at 0:2:3b:0:af:8b

of course .1 is the router/gateway.  It occured to me that this could be
interfering?  I.e. if the router answered ARP/RARP requests it didn't know
negatively, it could interfere with Piku answering.  It doesn't appear
that this happens though.

08:34:33.570113 arp who-has piku.atari-source.com (0:0:0:0:0:2) tell sparcy
08:34:33.570386 arp reply piku.atari-source.com is-at 8:0:20:c0:ff:ef

This strikes me as odd, because.. doesn't ARP cache this?  Sparcy has been
up over 60 days, piku has been up several, why would ARP requests still be
being made so often?

08:34:36.169432 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x128e [|bootp]
08:34:40.142791 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x128e [|bootp]

I asume this is what we were looking for.. there seems to be no answer
returned.

08:34:44.804773 sparcy.1023 > 208.37.85.116.printer: S 3151978061:3151978061(0) win \
32120 <mss 1460,sackOK,timestamp 582452205[|tcp]> (DF)

no clue about that...  Involves my old IP address though... perhaps I
forgot to switch something over involving lpd.

08:34:44.810679 piku.atari-source.com.1036 > sparcy.domain: 1225+ (44)
08:34:45.171675 sparcy.domain > piku.atari-source.com.1036: 1225 NXDomain* 0/1/0 \
(112)

More DNS lookups...

08:34:47.171223 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x128e [|bootp]

Another request from the JavaStation?  Again, no answer.

One experiment I suppose I should try is to take piku off of the network
and connect him directly to the JS so I don't have to worry about all this
other extra traffic.

I notice that the above lines were labeled as "bootp", not RARP
requests.  According to the "Linux on Sun JavaStation FAQ", a RARP request
is first performed.  I looked at the complete log, and saw none relating
to the MAC address of the JavaStation.

Piku is definately connected to the network properly, as besides the
evidence from the above results, I ran the TCPdump from piku, so obviously
he is seeing the packets.

Just to convince you ARP/RARP /should/ be working:

piku [/]# rarp -a
IP address       HW type             HW address
64.81.213.157    10Mbps Ethernet     08:00:20:87:00:29

piku [/]# arp -a
monolith (64.81.213.157) at 08:00:20:87:00:29 [ether] PERM on eth0
sparcy (64.81.213.156) at 08:00:20:C0:FF:EE [ether] on eth0
? (64.81.213.1) at 00:02:3B:00:AF:8B [ether] on eth0

Not that it matters, since a RARP request didn't seem to be made (unless I
am misinterpreting the BOOTP lines?)

perhaps I need to make certain that the DHCP server is also serving BOOTP?

in my dhcp.conf is the following:

 group
 {
    host monolith
    {
       hardware ethernet 08:00:20:87:00:29;
       filename "4051D59D";        # "/tftpboot/xxx" # needs fixed
       fixed-address monolith;         # 64.81.213.157
    }
 }

I triple-checked the IP and MAC addresses, they appear to be correct.

/etc/hosts contains:

64.81.213.157 monolith monolith.atari-source.com

an nmap UDP scan reveals the following:

Port    State       Protocol  Service
53      open        udp        domain
67      open        udp        bootps
69      open        udp        tftp
177     open        udp        xdmcp
1024    open        udp        unknown

I'm at somewhat of a loss, but I have never even attempted booting a
normal sparc machine off of the network, much less a JavaStation.  If
anyone has any ideas, please let me know.  I am not a UDP or Ethernet
wizard, and I have not played with ARP/RARP, TFTP or DHCP much in the
past, so I am sure it's some foolish mistake on my part.

thanks,
   -- noah silva



-
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of a message to majordomo@vger.kernel.org


[prev in list] [next in list] [prev in thread] [next in thread]