0
I have 3 hosts (PC1, PC2, and PC3). I set the IP addresses for PC2 and PC3 to be 10.0.0.2 and PC3 to be 10.0.0.1. I telnet from PC1 to 10.0.0.2. I then am logged in to PC3. I can see in Wireshark that PC3 first responds with it’s MAC address and then PC2 responds but that it is seen as a duplicate IP address and disregarded. Why is this? Why is PC3 not overwritten by PC2?
Tatië
Posted 2015-04-07T01:13:34.107
Reputation: 13
1
The answer previously marked correct is actually incorrect (to an extent). The resulting packet will be sent contained in a frame with a specific destination MAC address. The destination MAC address will be based on the senders ARP table.
An ARP reply is cached automatically regardless if it has expired. Therefore, the LAST response will be cached overwriting the first response received (this is exactly how and why ARP Poisoning works). You can research more on ARP Poisoning for more details on this.
The resulting connection to your "telnet" will be to the last device that has responded to the last ARP request that was broadcast to the broadcast domain.
A simplified explanation of what should be happening is below:
However, if a responding device sees conflicting responses it has a few options based on RFC 5227. 1 of those being responding to configuration agent that its IP is invalid. Without seeing the packet capture its a hard to tell you exactly what you are seeing.
Goblinlord
Posted 2015-04-07T01:13:34.107
Reputation: 455
0
*please refer to Goblinlords answer it more accurately explains what I was trying to get accross.
If I'm not mistaken its because PC2 is slower to respond. When you make a telnet session you are creating a TCP session. This starts with a 3-way TCP handshake. Since you only sent one telnet connection request your client sees that it is already connected to ip 10.0.0.2 so it drops the reply from PC2 as a duplicate.
Basically your computer thinks that the response from the slower device is unsilicited. If you clear out the arp table and then try again lots of times you should see the same thing happen when PC2 responds first and the data from PC3 should get dropped.
Not sure what you are attempting to accomplish but I would suggest giving PC2 and PC3 unique ips.
Devan
Posted 2015-04-07T01:13:34.107
Reputation: 186
Only one packet may be one the wire at the same time. If he repeats this 1000 times (always clearing the ARP table on PC1), there should equal successes from both PCs, if both PC2 and PC3 have the same equipment. – ott-- – 2015-04-07T02:17:53.177
@ott-- yes but I was going with his simple example and leaving it at one request. I'll edit to make it more clear – Devan – 2015-04-07T02:22:12.857
Okay, I think I get it. This is a lab exercise to cipher why one PC will be connected and which one it will be. I get that the one connected will be the fastest one but I wasn't sure if a new connection with the same ip would be considered or if it would seen as a duplicate. – Tatië – 2015-04-07T02:46:08.470
This would actually be incorrect. These 2 IPs being would mean a frame sent to the MAC address of the destination IP based on the ARP table on the sender's machine. The packet would still have the destination IP matching both receivers... but the frame would only have 1 of their MAC addresses. – Goblinlord – 2015-04-07T02:48:44.583
What do you mean PC3 is not overwritten by PC2? Do you mean why does the information from PC2 not override the data coming from PC3? – Devan – 2015-04-07T01:21:05.113
yes that is what I mean. – Tatië – 2015-04-07T01:21:44.347
Can you edit again? It's unclear which PC has which IP-address. – ott-- – 2015-04-07T01:32:38.523
I think he has it setup like this for some reason: PC1=10.0.0.1 PC2=10.0.0.2 PC3=10.0.0.2 – Devan – 2015-04-07T01:36:11.800