Can not trace the packets to a specific gateway ip

0

I try to make the OSX host-A to be a specific gateway for a Linux host-B. The default gateway entry of B has been deleted and add a specific gateway as below. Note: 98.136.144.138 is the ip address of domain name of "search.yahoo.com". Host-A can reach search.yahoo.com normally. ip of A is 10.192.29.246 and ip of B is 10.192.13.160.

enter image description here

When host-B browser refreshes the ip of 98.136.144.138, the web page shows as expected. But the Wireshark can not capture any packets illustrating the packets from host-B reach the gateway host-A first and host-A routes these packets. Why the information does not show?

  • The packets Wireshark captured in host-B as below. After I add specific route and refresh 98.136.144.138 of Yahoo Search in browser of host-B, packets below the line in picture turn up. But no info upon packets to specific gateway(host-A). And how to get the packets to a gateway if necessary?

enter image description here

  • The returns of command traceroute 98.136.144.138in host-B as below. And why the fist line is old default gateway 10.255.255.1 not specific gateway host-A. Host-A ip 10.192.29.246 even did not show .

enter image description here

If we can not trace or capture the data from host-B to the specific gateway(host-A) according to the routing table when browse the "Yahoo Search" page, how do we know whether it's really happened that host-B reach "Yahoo Search" page via host-A? The routing rules are on the routing table, but we need to really know that. Any help would be appreciated.

Update: add the layer II information of Wireshark below.10.192.26.24 is the host-B ip address now since restarted (But host-A is still 10.192.29.246). The first packet is sent to MAC address 00:00:5e:00:01:02 which belongs to the deleted default gateway 10.192.0.1. But how does it still be sent to deleted gateway? All following packets don't contain MAC address of host-A. enter image description here

enter image description here

Update: And a diagram for illustrating my purpose. enter image description here I am not sure this is right? Today when I retried this, host-B could access to 98.136.144.138 at first and Wireshark captured some info about "redirect". This is real communication between host-A and host-B. enter image description here

However, it was really weird after a while, host-B could not access to 98.136.144.138 anymore but Wireshark captured host-B did really send packets to host-A via layer of Ethernet II and not to original deleted default gateway. enter image description here

forAllBright

Posted 2018-07-14T11:47:10.737

Reputation: 67

2What Linux kernel version is host B running? What's your full routing table (as shown by ip -4 route and ip -4 rule)? What's the point of hiding 10.x addresses? – user1686 – 2018-07-15T13:14:52.390

@grawity The question just has been updated as your suggestion. The kernel version of host-B is Linux admin-PC 4.16.0-kali2-686-pae #1 SMP Debian 4.16.16-2kali2 (2018-07-04) i686 GNU/Linux. Please keep helping on this issue and let me know if any more information needed. – forAllBright – 2018-07-15T14:35:43.583

In response to the new question in the Updated section: Please provide the output of: ip route and ip address on the Linux endpoint host. This will help determine the configuration of the Linux host. – Slartibartfast – 2018-07-15T19:33:34.923

Answers

1

Your tcpdump / wireshark display shows layer 3 (IP) addresses. Communication with the gateway happens at layer 2 (Ethernet).

You should expand one (any one) of the packets below the red line, and compare the source and destination MAC addresses of the frame with the two hosts. One will be the source host (host B), and the other should be the MAC address of the gateway (host A), if things are working correctly.

The source and destination IP address of the packet won't change as it passes through the network and routers, but the MAC address of the wrapping ethernet (or other layer 2) frame will be different for every leg of that trip.

With regard to the traceroute, you can probably look up a way to configure an OS-X system to send ICMP errors so that the OS-X host shows up in traceroute, but it isn't clear that that will further your fundamental goal.

Slartibartfast

Posted 2018-07-14T11:47:10.737

Reputation: 6 899

Thanks for the suggestion. I expanded these packets and check the info of Ethernet II but the MAC address of host-A does not appear. – forAllBright – 2018-07-15T16:29:44.200

I added a screenshot in the bottom of question. Please check it. – forAllBright – 2018-07-15T16:44:53.913

I see a new question in the edited section, which is great. I have no problems helping you understand what is going on, but I would like to point out that this is a different / additional question, and you'll need to elaborate / provide additional data to get an answer. I'm not sure how this pattern fits into the StackExchange / SuperUser model. – Slartibartfast – 2018-07-15T19:31:11.237

Since the new updated question as you mentioned is based on the original, opening a new question must contain the original condition too. I have added the ip route and ip address info at the bottom of question. Please update your answer if it's convenient for you. I do really appreciate for your help on this. – forAllBright – 2018-07-16T01:25:08.407

I think there must be something wrong! Considering what I had tried is make host-A to be a router exactly to routing packets to host-A's default gateway, but a router needs no less than 2 internet interface and host-A only has one. The reason why packets did not go to host-A is unsure. If packets go to host-A then these packets should not be routing, right? – forAllBright – 2018-07-16T15:48:59.090

What is your fundamental goal here? Just to set up an OS-X system as a router? To what ends? Do you simply want to capture traffic silently? What's your plan? – Slartibartfast – 2018-07-17T04:26:47.183

Yes, just make OS-X system be a router and just one NIC to receive and transfer. I am trying to dig deeply for the details. – forAllBright – 2018-07-17T07:07:01.167

Asked: 2018-07-14T11:47:10.737

Viewed: 651 times

Active: 2018-07-16T16:13:46.877