2

I'm on a LAN provided by an ISP. My computer has its IP address, Subnet Mask, Default Gateway, DNS Servers(using DHCP).

I just wanted to see the MAC addresses of all the computers on my LAN.

  1. After applying subnet mask /18 or 255.255.192.0 on my IP I got: 182.3.64.0
  2. Which gives me 16384 IP addresses ranging from 182.3.64.0 to 182.3.127.255
  3. First and last IP addresses cannot be used as they are Network address and Broadcast address respectively.
  4. So, My subnet or local network contains 16382 hosts/computers. Right? In other words these 16382 hosts are behind single router.

I want to see the mac addresses of these hosts. SO, I pinged all of them and the picture shows the result:

enter image description here

My thinking:

I didn't understand why they all have same Mac Address. But now if I think little bit more about it. 16382 hosts behind a single router means too much of broadcast traffic (ARP broadcast). Which is not desirable. At the same time they cannot be connected to different routers because that would mean they are on different networks. May be they are on different VLAN (I don't know much about VLAN but I just know that it helps reducing the broadcast traffic).

I don't understand what is my problem. Kindly identify what am I getting wrong?

EDIT: The MAC address I'm receiving is the MAC of my default gateway.

claws
  • 232
  • 3
  • 10
  • Your ISP assigned you a /18 of public addresses? I didn't think that new blocks that large existed anymore for use within a single organization. – MDMarra Sep 02 '13 at 01:23
  • @MDMarra: Yeah, I was also surprised. But they did. – claws Sep 02 '13 at 01:27
  • 1
    Further reading: `Proxy ARP` http://en.wikipedia.org/wiki/Proxy_ARP – claws Sep 02 '13 at 02:41
  • To know more after reading this answer. Search `Bridged Networking - (Network Bridge Essentials)` on youtube and watch it. First video explains the basics. – claws Sep 02 '13 at 02:47

2 Answers2

7

There could be a lot of things going on here.

In general, a subnet will not have as many nodes as it has possible node addresses. If there actually were enough hosts to fill an entire /18, you should be subnetting further, because the broadcast domain would in fact be too big.

However, I don't think this is actually what is going on. I suspect that there is some layer 2 bridging going on here, or possibly someone is MAC spoofing. A layer 2 bridge might respond to ARP with its own mac address for any IPs on the opposite side of the bridge, particularly if the interface on the other side of the bridge uses a different addressing scheme.

That said, scanning your upstream provider's subnets is generally something that should be avoided; it's often against the ToS and there is no valid operational reason for you to be doing it.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • 4
    My guess is that the router/firewall is performing proxy ARP and that the MAC address in the question is the MAC address of the router/firewall. – joeqwerty Sep 02 '13 at 01:31
  • 1
    The MAC address I'm receiving is the MAC of default gateway. – claws Sep 02 '13 at 01:33
  • @joeqwerty: Can routers do that? Where can I read more about it? It shouldn't be a router because these are the IPs of same subnet. – claws Sep 02 '13 at 01:35
  • 1
    There you go, it's a bridge. It's probably replying to pretty much every IP address not on your side of it, and then doing its own thing on the other side of the bridge. – Falcon Momot Sep 02 '13 at 01:35
  • Actually I was teaching myself bit of networking from CCNA books. I just wanted to apply concepts to my LAN – claws Sep 02 '13 at 01:36
  • I suggest that perhaps it isn't your LAN. You should set up your own test network if you are trying to study the CCNA. – Falcon Momot Sep 02 '13 at 01:36
  • 1
    @claws, here is how you would make a psuedo-bridge with proxy-arp on Linux. http://lartc.org/howto/lartc.bridging.proxy-arp.html – Zoredache Sep 02 '13 at 02:15
  • @Zoredache: Thanks I'll read it but a quick question though. "on Linux"? Do they use computers (running linux) for interconnecting networking hosts? I thought Switches, Bridges, Routers, Firewalls & IDS are the only devices which are used to connect hosts. – claws Sep 02 '13 at 02:37
  • @Zoredache: How do they even get two ports on computer to divide into network segments? – claws Sep 02 '13 at 02:38
  • 2
    Linux is a piece of software. Switches/bridges/routers/firewalls are functions provided by hardware+software in a particular configuration. Linux is an extremely versatile OS. It has, and can be used to provide all of those networking services, on the correct hardware. As for how to do it. That is what that document describes. But it does pre-suppose you know how networking works. I linked to a particular section in a howto. Read the entire thing. http://www.lartc.org/ – Zoredache Sep 02 '13 at 03:17
2

If your network is composed of more than one subnet and you try to scan a subnet that you don't belong to, all the possible ip addresses (nodes) will show in the scan as if they all existed and all have the same mac address as your router.

I bet that the mac address in your console is the mac address of your router.

Here is a question I asked about how to get the mac addresses from a different subnet.

Community
  • 1
bgmCoder
  • 706
  • 4
  • 16
  • 29