Today I read a thread on forum hvaonline asking about some strange IP addresses when using the command “arp -a” to see the cache of ARP entries. The author of this thread is using Windows 7 and he thought that his computer was hacked. When I use this command on my machine, I also see some strange IP addresses. I never think that my computer was hacked so I decide to find out what does these IP addresses mean.
The figure above shows the result of the command. Let’s go through each row and explain them.
1. “Interface: 192.168.1.2 — 0xb”
The “192.168.1.2” is my IP address. That is also the only one network interface working now on my computer.
2. “192.168.1.1 00-22-**-**-**-e2 dynamic”
The “192.168.1.1” is the IP address of my router and “00-22-**-**-**-e2” is his MAC Address. Its type is dynamic. That means that depends on which router you use, you’ll get various IP Address. For example, I am now using a netgear router which normally use 192.168.1.1. But some years ago, I used an Asus router which normally use 192.168.123.1.
3. “192.168.1.3 00-16-**-**-**-8b dynamic”
The “192.168.1.3” is the IP address of the computer of my wife. She has a laptop and the MAC address is of course the MAC of her laptop. The type is of this address is dynamic, too. Normally which computer connects to the router first, will get the lower address. In this example, my desktop got connection first. It got the “192.168.1.2”. Then the computer of my wife got the “192.168.1.3”. After that if another computer gets connection, he’ll got the “192.168.1.4” and so on.
4. “192.168.1.255 ff-ff-ff-ff-ff-ff static”
The “188.8.131.52” is a broadcast address. It allows information to be sent to all host of network, rather than a specific network host. This address is generally obtained by performing a bitwise OR operation between the bit complement of the subnet mask and the ip address. In this example, my subnet mask is “255.255.255.0” and its bit complement is “0.0.0.255” and therefor the broadcast address should be (192.168.1.0 | 0.0.0.255) = 192.168.1.255.
We can see the MAC address of this ip is a range of “ff” because broadcast is possible also on the underlying Data Link Layer. Ethernet frames can be addressed to every computer on a given LAN segment if they are addressed to MAC address FF:FF:FF:FF:FF:FF. Ethernet frames that contain IP broadcast packages are usually sent to this address.
5. “184.108.40.206 01-00-5e-00-00-16 static”, “220.127.116.11 01-00-5e-00-00-fc static”, “18.104.22.168 01-00-5e-00-00-fd static”
The ip range 22.214.171.124 through 126.96.36.199 is for multicast. Multicast addressing is a network technology for the delivery of information to a group of destinations simultaneously using the most efficient strategy to deliver the messages over each link of the network only once, creating copies only when the links to the multiple destinations split.
In our example, windows 7 automatically turned on 3 multicast addresses. Each of them has its own mission.
188.8.131.52 IGMP [Deering]
184.108.40.206 Link-local Multicast Name Resolution [RFC4795]
220.127.116.11 Teredo [RFC-huitema-v6ops-teredo-05.txt]
For more information about multicast address you can find as this link http://www.iana.org/assignments/multicast-addresses/
6. “18.104.22.168 01-00-5e-7f-ff-fa static”
Windows OS uses 22.214.171.124 as a sort of broadcast address to announce the presence of a machine on the network. Windows uses the following Universal Plug and Play services:
* The Simple Service Discovery Protocol (SSDP) discovery service: This service discovers Universal Plug and Play devices on your home network.
* Universal Plug and Play Device Host: This service provides support to host Universal Plug and Play devices.
And the SSDP will be host on the ip 126.96.36.199 exactly at port 1900. For more information you can find at this article http://support.microsoft.com/kb/317843/en-us