ok, start tshark on both “c” and “e”, then run ping on “e”. We do thus capture an answer where the HP mac claims the .5 address, at the bottom of the “e” tshark capture:
$e$ ping -nc5 10.3.8.6
PING 10.3.8.6 (10.3.8.6) 56(84) bytes of data.
64 bytes from 10.3.8.6: icmp_seq=1 ttl=64 time=0.412 ms
64 bytes from 10.3.8.6: icmp_seq=2 ttl=64 time=0.311 ms
64 bytes from 10.3.8.6: icmp_seq=3 ttl=64 time=0.460 ms
64 bytes from 10.3.8.6: icmp_seq=4 ttl=64 time=0.378 ms
64 bytes from 10.3.8.6: icmp_seq=5 ttl=64 time=0.439 ms
--- 10.3.8.6 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4060ms
rtt min/avg/max/mdev = 0.311/0.400/0.460/0.052 ms
0$e$ ping -nc5 10.3.8.5
PING 10.3.8.5 (10.3.8.5) 56(84) bytes of data.
From 10.3.8.9 icmp_seq=1 Destination Host Unreachable
From 10.3.8.9 icmp_seq=2 Destination Host Unreachable
From 10.3.8.9 icmp_seq=3 Destination Host Unreachable
From 10.3.8.9 icmp_seq=4 Destination Host Unreachable
From 10.3.8.9 icmp_seq=5 Destination Host Unreachable
--- 10.3.8.5 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4066ms
pipe 3
1$e$
#c# tshark -lf 'host 10.3.8.5 or 10.3.8.6 or 10.3.8.9 or 10.3.8.87'
Capturing on 'eno1'
1 0.000000000 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
2 0.000083678 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
3 0.000211503 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
4 0.000220030 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
5 0.000897113 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
6 0.161297415 10.3.8.9 ? 10.3.8.7 SSL 230 Continuation Data
7 0.161737458 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=1 Ack=165 Win=530 Len=0 TSval=2439819072 TSecr=3629094591
8 0.411604106 10.3.8.9 ? 10.3.8.7 SSL 598 Continuation Data
9 0.412009161 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=1 Ack=697 Win=528 Len=0 TSval=2439819322 TSecr=3629094841
10 0.619812114 10.3.8.3 ? 10.3.8.9 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
11 0.619900841 10.3.8.9 ? 10.3.8.3 ICMP 120 Destination unreachable (Communication administratively filtered)
12 0.679314248 10.3.8.9 ? 10.3.8.7 SSL 534 Continuation Data
13 0.679638926 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=1 Ack=1165 Win=528 Len=0 TSval=2439819590 TSecr=3629095109
14 0.930166107 10.3.8.3 ? 10.3.8.5 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
15 0.930296402 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
16 0.945368987 10.3.8.9 ? 10.3.8.7 SSL 358 Continuation Data
17 0.945781002 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=1 Ack=1457 Win=528 Len=0 TSval=2439819856 TSecr=3629095375
18 1.249984046 10.3.8.3 ? 10.3.8.9 MDNS 81 Standard query 0x0000 PTR 9.8.3.10.in-addr.arpa, "QM" question
19 1.250097989 10.3.8.9 ? 10.3.8.3 ICMP 109 Destination unreachable (Communication administratively filtered)
20 1.890089086 10.3.8.3 ? 10.3.8.5 MDNS 81 Standard query 0x0000 PTR 5.8.3.10.in-addr.arpa, "QM" question
21 1.947009479 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
22 2.960341340 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
23 3.973720353 10.3.8.9 ? 10.3.8.3 ICMP 120 Destination unreachable (Host unreachable)
24 3.973749405 10.3.8.9 ? 10.3.8.3 ICMP 109 Destination unreachable (Host unreachable)
25 5.813671114 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 Who has 10.3.8.3? Tell 10.3.8.9
26 5.814233229 AlphaNetwork_b6:4c:0d ? 4a:da:93:8f:8c:3a ARP 60 10.3.8.3 is at 0c:83:cc:b6:4c:0d
27 12.311182189 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=1/256, ttl=64
28 12.311309458 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
29 13.311756429 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=2/512, ttl=64
30 13.333674775 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
31 14.325178314 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=3/768, ttl=64
32 14.347006246 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
33 15.338530630 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=4/1024, ttl=64
34 15.360389289 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
35 15.360418531 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
36 15.360433756 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
37 15.360448024 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
38 16.340138191 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=5/1280, ttl=64
39 16.340244035 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
40 17.360343905 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
41 17.471656783 LCFCElectron_40:f3:46 ? HewlettPacka_60:62:80 ARP 60 Who has 10.3.8.5? Tell 10.3.8.7
42 18.061912336 LCFCElectron_40:f3:46 ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.7
43 18.070823562 LCFCElectron_40:f3:46 ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.7
44 18.070849942 4a:da:93:8f:8c:3a ? LCFCElectron_40:f3:46 ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
45 18.365646479 LCFCElectron_40:f3:46 ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.7
46 18.365683079 4a:da:93:8f:8c:3a ? LCFCElectron_40:f3:46 ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
47 18.373625310 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
48 18.669491948 LCFCElectron_40:f3:46 ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.7
49 18.669528387 4a:da:93:8f:8c:3a ? LCFCElectron_40:f3:46 ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
50 18.887446474 LCFCElectron_40:f3:46 ? Broadcast ARP 60 Who has 10.3.8.87? Tell 10.3.8.7
51 19.387053384 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
52 60.004904612 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
53 60.004981284 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
54 60.005117488 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
55 60.005136562 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
56 60.006240896 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
57 69.082716001 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
58 69.082817199 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
59 69.083654819 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
60 69.083672710 4a:da:93:8f:8c:3a ? AlphaNetwork_b6:4c:0d ARP 42 10.3.8.9 is at 4a:da:93:8f:8c:3a
61 69.094137045 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
62 69.510027985 10.3.8.3 ? 10.3.8.5 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
63 69.510160991 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
64 69.830586205 10.3.8.3 ? 10.3.8.5 MDNS 81 Standard query 0x0000 PTR 5.8.3.10.in-addr.arpa, "QM" question
65 70.149989668 10.3.8.3 ? 10.3.8.9 NBNS 92 Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
66 70.533667073 4a:da:93:8f:8c:3a ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.9
67 71.080108213 10.3.8.3 ? 10.3.8.9 MDNS 81 Standard query 0x0000 PTR 9.8.3.10.in-addr.arpa, "QM" question
68 71.080224816 10.3.8.9 ? 10.3.8.3 ICMP 109 Destination unreachable (Communication administratively filtered)
#e# tshark -lf 'host 10.3.8.5 or 10.3.8.6 or 10.3.8.9 or 10.3.8.87'
Capturing on 'enp3s0'
38 9.162110300 66.244.202.114 ? 10.3.8.87 ICMP 70 Destination unreachable (Communication administratively filtered)
39 9.173201356 10.3.8.9 ? 10.3.8.7 TCP 174 [TCP segment of a reassembled PDU]
40 9.173295219 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=117 Ack=1917 Win=531 Len=0 TSval=2439818601 TSecr=3629094120
41 9.368239729 10.3.8.9 ? 10.3.8.7 TCP 134 995 ? 58332 [PSH, ACK] Seq=1917 Ack=117 Win=249 Len=68 TSval=3629094315 TSecr=2439818601 [TCP segment of a reassembled PDU]
42 9.368331251 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=117 Ack=1985 Win=531 Len=0 TSval=2439818796 TSecr=3629094315
43 9.482601160 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.3
44 9.482682504 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.6? Tell 10.3.8.3
45 9.482797911 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.9? Tell 10.3.8.3
46 9.483550521 AlphaNetwork_b6:4c:0d ? Broadcast ARP 60 Who has 10.3.8.87? Tell 10.3.8.3
47 9.644184259 10.3.8.9 ? 10.3.8.7 TCP 230 995 ? 58332 [PSH, ACK] Seq=1985 Ack=117 Win=249 Len=164 TSval=3629094591 TSecr=2439818796 [TCP segment of a reassembled PDU]
48 9.644278458 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=117 Ack=2149 Win=530 Len=0 TSval=2439819072 TSecr=3629094591
49 9.894497220 10.3.8.9 ? 10.3.8.7 TCP 598 995 ? 58332 [PSH, ACK] Seq=2149 Ack=117 Win=249 Len=532 TSval=3629094841 TSecr=2439819072 [TCP segment of a reassembled PDU]
50 9.894587524 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=117 Ack=2681 Win=528 Len=0 TSval=2439819322 TSecr=3629094841
51 10.162161854 10.3.8.9 ? 10.3.8.7 TCP 534 995 ? 58332 [PSH, ACK] Seq=2681 Ack=117 Win=249 Len=468 TSval=3629095109 TSecr=2439819322 [TCP segment of a reassembled PDU]
52 10.162240246 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=117 Ack=3149 Win=528 Len=0 TSval=2439819590 TSecr=3629095109
53 10.413485483 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
54 10.428260938 10.3.8.9 ? 10.3.8.7 TCP 358 995 ? 58332 [PSH, ACK] Seq=3149 Ack=117 Win=249 Len=292 TSval=3629095375 TSecr=2439819590 [TCP segment of a reassembled PDU]
55 10.428351578 10.3.8.7 ? 10.3.8.9 TCP 66 58332 ? 995 [ACK] Seq=117 Ack=3441 Win=528 Len=0 TSval=2439819856 TSecr=3629095375
56 11.430187867 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
57 12.443612201 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
58 16.715091847 10.3.8.87 ? 216.52.29.11 NTP 90 NTP Version 4, client
59 16.763864246 216.52.29.11 ? 10.3.8.87 ICMP 70 Destination unreachable (Port unreachable)
60 21.793713739 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=1/256, ttl=64
61 21.794528085 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
62 21.834246529 LCFCElectron_40:f3:46 ? 52:54:00:0f:4f:0d ARP 42 Who has 10.3.8.87? Tell 10.3.8.7
63 21.834900884 52:54:00:0f:4f:0d ? LCFCElectron_40:f3:46 ARP 60 10.3.8.87 is at 52:54:00:0f:4f:0d
64 22.794297110 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=2/512, ttl=64
65 22.816760051 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
66 23.807705821 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=3/768, ttl=64
67 23.830272284 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
68 24.821057558 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=4/1024, ttl=64
69 24.843240192 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
70 24.843240348 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
71 24.843240458 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
72 24.843240569 10.3.8.9 ? 10.3.8.7 ICMP 126 Destination unreachable (Host unreachable)
73 25.822670861 10.3.8.7 ? 10.3.8.5 ICMP 98 Echo (ping) request id=0x0005, seq=5/1280, ttl=64
74 25.823424772 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
75 26.262042270 10.3.8.6 ? 96.245.170.99 NTP 90 NTP Version 4, client
76 26.843615107 4a:da:93:8f:8c:3a ? Broadcast ARP 60 Who has 10.3.8.5? Tell 10.3.8.9
77 26.954196136 LCFCElectron_40:f3:46 ? HewlettPacka_60:62:80 ARP 42 Who has 10.3.8.5? Tell 10.3.8.7
78 26.954666798 HewlettPacka_60:62:80 ? LCFCElectron_40:f3:46 ARP 60 10.3.8.5 is at ec:b1:d7:60:62:80
79 27.543878523 LCFCElectron_40:f3:46 ? Broadcast ARP 42 Who has 10.3.8.5? Tell 10.3.8.7
80 27.544996185 HewlettPacka_60:62:80 ? LCFCElectron_40:f3:46 ARP 60 10.3.8.5 is at ec:b1:d7:60:62:80
Fascinating, all ARP 42 Who has 10.3.8.5? Tell
queries go unanswered until after the 5th ping, 2 more asked by 10.3.8.9 still go unanswered, but when 10.3.8.7 asks this time the HP mac answers ARP 60 10.3.8.5 is at ec:b1:d7:60:62:80
!
But so what could be doing this?