Consider a Ping Request packet arriving on a computer with 2 NICs (multi-homed PC). The packet is received on 1 of the interfaces. Now the computer has to send the Ping Response packet. To fill the source IP and source MAC address the computer does which of the following?

  • Computer first determines which interface should be used as the egress interface by looking at the Destination IP address. Destination IP address was taken from source IP address field of Ping Request packet. Once it determines egress port, it will enter that interface’s IP and MAC address in the Ping Response packet.
  • Computer takes the destination IP and MAC address of the Ping Request packet and just flips them over to fill source IP and MAC address in Ping Response packet.
  • neidu2@feddit.nl
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    5 months ago

    First. It uses the source IP to craft the response, then does a lookup in its routing table to figure out on which interface is used for transmission. If necessary it will do an ARP request to figure out the MAC as well.

    • driftWood@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      5 months ago

      OK this is what I was thinking too. So consider this scenario:

      srcPCnic1 - 192.168.1.100/24 DG: 192.168.1.1 dstPCnic1 - 192.168.2.100/24 dstPCnic2 - 192.168.1.101/24 DG: 192.168.1.1

      Topology: srcPCnic1 -> RTR -> dstPCnic1 Assume srcPCnic1 is also connected to dstPCnic2 via a switch. (Sorry if its difficult to imagine with the crude description)

      On srcPC execute: ping 192.168.2.100 RTR will route the packet to dstPC. dstPC receives the packet on nic1. dstPC sends the Response packet via nic2.

      Is the above understanding correct?

      • neidu2@feddit.nl
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        I believe so, yes. The routing table should result in the PC sending the response via the direct route, as opposed to via the defGW. I’m not 100% sure, though. There could be some “default” behavior of using the same nic as the one the packet was received on, stemming from the original 192.168.2.0/24 destination.

        • driftWood@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          5 months ago

          I recently tested this using wireshark. When I run packet capture on nic1 of dstPC I see ping request packets coming, but no response packets leaving the interface. On nic2 I don’t see any packets leaving either. So kind of stumped what is happening. It seems the computer just drops the response packet and it never makes it till any nic. But still don’t have a good explanation of WHY the packet gets dropped.