MAC address FF:FF:FF:FF:FF:FF obtained by snort

[jenaniston]

In a simple point to point network connection - trying to set up a LAN boot -
will the client in the MAC host -> MAC client line always just be -> FF:FF:FF:FF:FF:FF
- or is that the result only from the snort utility ?

The laptop - connected by ethernet cable to the Fedora OS with snort - can not boot yet,
so I can NOT just use ifconfig on the laptop client for finding its' MAC address.
It is not on the outside case either.

Will that FF:FF:FF:FF:FF:FF address be good enough to set up a diskless, point-to point LAN boot ?

Code:

[liveuser@localhost ~]$ su -
[root@localhost ~]# yum install snort
. . .
Installed:
  snort.i586 0:2.8.5.1-1.fc11                                                   

Dependency Installed:
  libprelude.i586 0:0.9.21.2-9.fc11                                             

Complete!
[root@localhost ~]#

Code:

[root@localhost ~]# snort -veX
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
***
*** interface device lookup found: eth0
***
Initializing Network Interface eth0
Decoding Ethernet on interface eth0

Code:

12/26-10:00:51.007089 0:12:3F:XX:XX:XX -> FF:FF:FF:FF:FF:FF type:0x800 len:0x156
0.0.0.0:68 -> 255.255.255.255:67 UDP TTL:128 TOS:0x10 ID:0 IpLen:20 DgmLen:328
Len: 300
. . .

P.S. Only the XX:XX:XX and boldface were added in the line of the partial terminal result above from the # snort -veX command,
so any other hints to get LAN boot started as where to look with portmapper or sometin' welcome.

Thanks.

[smurffit]

Well, i'm not sure if i get the problem, but FF:FF... is the broadcastadress and if you have much clients (i. e. in a company) it makes sense to use broadcasts to save bandwidth. So i would say, that the address is fine.

[jenaniston]

Quote:

Originally Posted by smurffit

. . . but FF:FF... is the broadcastadress . . . would say, that the address is fine.

Thanks for the reply.

When I right click on the network applet in the top menu bar (gnome desktop) and go into
Connection Information, the info includes Interface: Ethernet (eth0), Hardware Address (or host MAC) 00:12:3F:xx:xx:xx), IP address, Broadcast address,
as well as Subnet Mask, Default Route, Primary DNS, Secondary DNS.

There, the Broadcast Address is listed -
Broadcast Address: 128.255.139.255

But the future LAN boot computer MAC has only been found -with snort - as FF:FF:FF:FF:FF:FF

Will that be ( part of ) what I'll need for setting up the LAN boot?
Will that snort obtained MAC be sufficient, since the true network card MAC is NOT known and the laptop can NOT yet be booted ?

[smurffit]

The IP is for logical addressing and the MAC is for physical addressing, so they are different connection layers (IP is a higher layer than MAC). There is also a Broadcast-address for IP-addressing, that's fine too, but your Boot-Server works on the MAC layer, therefore it uses the Broadcast-address based on the MAC layer.

By the way, routers don't forward MAC-Broadcasts, so maybe this is a possible problem in your situation?!

[lensman3]

It sounds like you are doing a network boot to a diskless machine. There were problems when a machine had to boot from the network, because there was no way to get a IP/NIC address until the OS was running. I think the rarp protocol was implemented to do this. The arp command man page references "rarp", but there is no rarp man page.

A lot of the NIC address can be found in the /proc/net directory.

[jenaniston]

Thanks for the replies.

Quote:

Originally Posted by smurffit

. . . and the MAC is for physical addressing, so they are different connection layers (IP is a higher layer than MAC). There is also a Broadcast-address for IP-addressing, that's fine too, but your Boot-Server works on the MAC layer, therefore it uses the Broadcast-address based on the MAC layer.

. . . routers don't forward MAC-Broadcasts,

Great info in your post distinguishing logical and physical addressing - thanks.

Yes, as I had understood, I was gonna need the MAC address to boot -
and if that F:F:F: ... MAC address obtained with snort is good enough to go, then great.

But I'd kinda doubt that happens to be the actual, true MAC address for that particular 3com network adapter card on the laptop I'll be trying to LAN boot.

And also, btw, it won't be through a router - just a point-to-point ethernet cable connection - the same as was used for "snorting" -
but good info to learn that routers don't forward MAC addresses.

Quote:

Originally Posted by lensman3

It sounds like you are doing a network boot to a diskless machine. . . . there was no way to get a IP/NIC address until the OS was running. I think the rarp protocol was implemented to do this. The arp command man page references "rarp", but there is no rarp man page.

A lot of the NIC address can be found in the /proc/net directory.

Exactly -
I need to try a point-to-point network (no router) diskless boot to rescue data off the laptop.
Fedora will be great for pulling data off another OS - but I'll need the LAN boot.
Then, I'll just install the Fedora for a 60 GB hard drive linux OS laptop.

I have tried the address resolution protocal - arp - and arping - and I also found that their was no man rarp available.
But you have now encouraged me to pursue info for using rarp further as well -
so thanks - that is what I am going to start working with this afternoon.

Surely, through the years this diskless boot situation has come up before -
rarp may be important as a solution, and I tried snort, which has been a good step as I learn this.

Thanks again.