[c-nsp] How they do that?

Matlock, Kenneth L MatlockK at exempla.org
Tue Sep 2 10:14:01 EDT 2008


Sounds like the hotel is doing 2 things:

1) Proxy-arp on the router, giving you the MAC of the router when asking
for something outside of what it has configured or layer 3. Whatever is
doing the proxy arp must also be paying attention to who made the
request, and forwarding the return traffic to you as layer 2.

2) Captive portal, there's a local dns 'server' there letting you
resolve addresses, but won't allow any real traffic to flow through
until you 'accept' the Terms of Service. (Fairly common setup these days
at hospitals).

Ken Matlock
Network Analyst
(303) 467-4671
matlockk at exempla.org
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tuc at
T-B-O-H.NET
Sent: Tuesday, September 02, 2008 7:38 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] How they do that?

Hi,

	Not a Cisco specific question, but thought this group
would have the best insight.

	After 10 hours on the road, I'm more dopey than usual. Pull
into a Marriott, and of course the first thing I do is hook the laptop
up. Normally, during the FreeBSD boot process I stop it and switch the
config over from a hardcoded IP/gateway (For use at home/office... I
need to be DMZ'd for somet things, so the IP is static) to DHCP. Wasn't
thinking straight and let it boot. 

	Oddly, it resolved all my NTP servers, but then couldn't sync
NTP time. Weird. My browser autostarts when I bring up X, and all of a
sudden its on the Marriott site and asking me to validate I really want
to use the net for free. I click it, and I'm good to go.

	So, I wonder if I just happen to use the same range, and oddly
the same gateway (Non standard) as the hotel. I don't think anything of
it.

	I go to dinner, come back, and notice on my console its 
complaining :

Sep  2 09:12:58 himinbjorg kernel: Sep  2 09:12:58 himinbjorg kernel:
arplookup 192.168.50.1 failed: host is not on local network


	I do a tcpdump and notice all sorts of IPs being handled by the
192.168.50.1 .... 10.'s, 172.'s, etc.  I even see :

09:32:49.870101 CDPv2, ttl: 180s, Device-ID 'SW1_MDF', length 351

	So how is this possible? Is there a protocol or something I
haven't heard of? How would it know where my default gateway is?
(Maybe just reply to every ARP with the 192.168.50.1 address? Sorta
looks it.. I just ping'd something that doesn't exist, and got :

? (192.168.3.23) at 00:08:02:3e:b3:0f on xl0 [ethernet]

	Oddly an entry for 192.168.3.1 exists, which I would never
ping for. Guess it tried to force a gateway on me. :) 

	Then maybe when it gets a packet, it inspects it. If it is
going to a real net address it plays gateway, if it isn't it just drops
it?

			Thanks, Tuc

		Thanks, Tuc

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list