Tuesday, September 30, 2008

Tech Support call about 169.254.x.x

I had an interesting call today from someone trying out the NetScanTools Pro 10 Demo. He wanted to know if it could help him figure out why his laptop was getting a 169.254.x.x IP ( subnet mask) when he plugged it into his work network. He was aware of the Microsoft Windows XP default action of using Automatic Private IP Addressing (APIPA) to assign an IP in that range whenever DHCP failed. But he wanted to confirm that DHCP was not working and just talk to someone about it I guess.

As a way of confirming my suspicions, I had him use the DHCP Discover Tool in NetScanTools Pro 10 Demo. When he pressed the Discover button, the DHCP server returned no data and the tool timed out. I had him do this a couple of times. The tool sends out a DHCP_DISCOVER message and looks for responses much like ipconfig does -- and there were no responses.

So either his physical network connection was bad or the DHCP server was dead. He was pretty sure his network cable was OK, so that left the DHCP server itself. I had him confirm this using ipconfig /release, then ipconfig /renew, then confirmed his computer was set up to use DHCP by looking at the results of ipconfig /all. Now that he was pretty sure of the program, he had a call into whoever was responsible for the DHCP server.

I also had him go to Network Statistics to check to make sure there was only one network interface in his system and he could see all the parameters for the single interface like IP, mask and MAC address. That way he could be sure that there were no other conflicts like a wireless and a wired interface.

Friday, September 26, 2008

ARP Ping

Here is a topic ripped from our September 2008 newletter.

The most popular search term bringing people to our website is ARP Ping. What does ARP Ping do?

If you have the purchased or even the demo version of NetScanTools Pro, you can access the tool by selecting Tools/ARP Ping. Once there, you can see that it has three options or modes. The first two are for sending an ARP Ping and the third is for searching for duplicate IP addresses. Let’s concentrate on ARP Ping first and learn what ARP Ping does and does not do.

ARP request packets are fairly simple in construction. In Ethernet networks, ARP is used to obtain the MAC address of the target given the target IP address. Our ARP packets contain the required target IP address. The broadcast MAC address is placed in the target MAC field. The Interface IP and MAC address are used in the packet to identify to the target device the sender of the ARP packet. When the target device with the IP address identified in the ARP request packet sees the ARP request packet, it fills in the target interface MAC address and sends an ARP reply packet back to the sender. The target IP is a requirement because the receiver will not reply unless it sees its own IP address in the packet. In our implementation, the act of sending an ARP request and receiving a reply is known as an ARP Ping and the timing of the packets gives us the Response Time. The timing is similar to what you would see with a command line PING, ie. packet round-trip-time milliseconds.

What about the broadcast and unicast options? The broadcast option means all ARP request packets we send are to the broadcast MAC address. The unicast option means the first packet uses the broadcast MAC address and all subsequent packets use the discovered MAC address of the target.

Can you input a target MAC address with the IP address blank in order to find the target’s IP address? No, because the ARP protocol does not work that way. If you were to send such a packet, it will not be responded to by any device because the IP address in the packet does not match the IP address of any receiving device.

Can you use this tool to get the MAC address of a device NOT on the same subnet as the computer running NetScanTools Pro? No, because none of the devices on the subnet will not recognize the target IP address and they will not respond. EXCEPT if the router that accepts packets destined for locations outside the subnet is set up to do proxy ARP. If so, it will see that the target IP is not within the subnet and respond to you with the MAC address of the router interface on your side of the subnet.

For more information on how ARP works, see RFC 826.

How to use the ARP Ping tool to search for duplicate IP addresses. A variation on ARP is to use it to detect duplicate IP addresses by the method outlined in RFC 5227. To do this you first select Search for Duplicate IP Addresses, then you select the source IP address to place in the ARP request packet ( is preferred in the RFC, but we also provide an option for placing the Interface IP in there instead), then you enter the target IP address and press Send ARP. The target IP address is the one you want to find duplicates for. All devices using that IP address will respond to your request along with their MAC address and they will be shown in the results grid.

That's a taste of some of the tips and explanations you will be seeing in this blog. It might bore you if you haven't got the faintest idea what I'm talking about...but enough people have wanted to know about ARP Ping for us to talk about it in more detail.

By the way, did you know I own four miniature herefords?

This is new for me...

Yes, this is new for me. I've done newsletters for years but never a blog. We'll see how this goes. A good friend of mine, Laura Chappell, recently put up a blog, so I decided is was time to start -- and probably long overdue. Laura's blog is here.

In case you are wondering, NetScanTools Pro is network discovery software and we are here to talk about how to use it. There will be tips published and "did you know?" types of things.

We may even talk about the timing of upcoming releases and other programs we have, so watch this space if you are interested in all things networking.