Ask Your Question
0

Not able to see ARP response in wireshark

asked 2020-04-05 06:46:19 +0000

AnonGeek gravatar image

updated 2020-04-05 07:27:45 +0000

Eddi gravatar image

Hi,

I am trying to understand how ARP works. I'm running a CentOS 7 as a guest VM(Virtual Box) on a Windows 10 host.

The guest configuration network is set to "bridged adapter" and the VirtualBox Host-Only Network is set to IP:192.168.56.1 mask: 255.255.255.0

Wireless LAN adapter Wi-Fi:

IPv4 Address. . . . . . . . . . . : 192.168.0.107

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

I am pinging the CentOS VM from host(Ping is working fine). I captured the network packets on wireshark on the host.

Ideally, I should see an ARP response directly from CentOS VM(192.168.0.177) to the host(192.168.0.107) since both are in the same network.

In my case, I see no response from CentOS VM(192.168.0.177) to the host(192.168.0.107). I am still able to ping.

Is there any setting I need to change in order to see the reply from CentOS?

Thanks in advance

edit retag flag offensive close merge delete

Comments

Do you see the ARP request? If not it is very likely that the entry is already cached by the host.

Helpful commands are:

arp -a show entries in the ARP cache on Windows and Linux

arp -an My preferred method to display the ARP cache on Linux (numeric results)

arp -d to delete entries from the ARP cache

Good luck Eddi

Eddi gravatar imageEddi ( 2020-04-05 07:26:32 +0000 )edit

I see the ARP request from my host(192.168.0.107) to CentOS(192.168.0.177).

I can see another ARP request from my gateway(192.168.0.1) to CentOS(192.168.0.177).

ARP response is from my host to gateway - 192.168.0.177 is at 10-02-B5-BE-C4-13(mac address of my host)

But there is no ARP response, yet I am able to ping from windows:

C:\WINDOWS\system32>ping 192.168.0.177

Pinging 192.168.0.177 with 32 bytes of data:

Reply from 192.168.0.177: bytes=32 time<1ms TTL=64

Reply from 192.168.0.177: bytes=32 time<1ms TTL=64

Reply from 192.168.0.177: bytes=32 time=1ms TTL=64

Reply from 192.168.0.177: bytes=32 time<1ms TTL=64

The ARP entries are displayed correctly.

Thank you

AnonGeek gravatar imageAnonGeek ( 2020-04-05 09:11:12 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-04-05 13:55:42 +0000

Chuckc gravatar image

Does your host have a wired ethernet interface to use for testing?
Looks like the arp traffic is handled differently on a wireless adapter:
6.5. Bridged Networking
ARP broadcasts when bridging wireless and wired adapters

edit flag offensive delete link more

Comments

My interface is wireless. I think the behaviour is different here. Thanks for the links

AnonGeek gravatar imageAnonGeek ( 2020-04-05 18:43:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-04-05 06:46:19 +0000

Seen: 4,917 times

Last updated: Apr 05 '20