Here’s a poser for my infrastructure-y friends: how do you find the MAC address of a remote server using Wireshark?
I know the following to be true because I have access to these machines directly:
172.16.0.2 172.16.255.254 192.168.254.254
00:0c:29:dc:f9:d1 00:0c:85:27:44:40 00:0c:29:8a:60:29
If I ping the Server from the client and then interrogate the packets in Wireshark I see the folowing:
Ethernet II (Layer 2): Destination: 00:0c:85:27:44:40
IP: Destination: 192.168.254.254
So I pinged the Server but the Layer 2 destination is Router.
Why? Is this because access to the Server is only through the Router, therefore that is the destination? Is it because the Server is on a different subnet to the Client? I’m a bit lost.
[UPDATE] A response from a friend of mine clears the whole thing up!
Answer… as te blog won’t let me post a reply of this length.
Q. "how do you find the MAC address of a remote server"
A. You cannot, directly.
Q. "Why? Is this because……?"
To explain: IP sits at Layer 3 and is based on logical addressing (the IP address), as such this is abstracted from Layer 2 which is based on physical addressing (the MAC address).
You will see in in a packet trace if you ping for anything not in your ARP table, the first packet seen is the local machine sending an ARP request. If the destination machine is on the same IP subnet, it will reply with it’s MAC address so physical communication can happen at Layer 2.
If the machine isn’t on the local subnet, your machine will ARP for the default router IP address. Your machine will then physically send packets to that router, if you look in the trace the IP destination is the actual destination – the Layer 2 & 3 no longer directly correspond.
It’s a bit like you posting a letter, if it’s in your street then you just walk down and post it yourself, you know the physical (MAC) address of the destination. Anything else, you don’t care about the physical location (MAC address) as you address the envelope (IP address) and put it in the postbox (the router for which you have the physical location for), you don’t physically care where the destination is so don’t need to know the MAC address.
I presume they have discussed the OSI 7 layer Model? if not, then http://en.wikipedia.org/wiki/Osi_7_layer_model will sort you out.
Does that help?