Re: help: duplicate MAC address

To: debian-security@lists.debian.org
Subject: Re: help: duplicate MAC address
From: "Lestat V" <dreameration@gmail.com>
Date: Thu, 19 Oct 2006 07:53:29 +0800
Message-id: <[🔎] b2bbfcb60610181653w66b61705jc711f72b61073d0e@mail.gmail.com>
In-reply-to: <[🔎] 20061018230027.GB30401@javifsp.no-ip.org>
References: <[🔎] b2bbfcb60610172009q52a81f70q93b86264e613c152@mail.gmail.com> <[🔎] 20061018230027.GB30401@javifsp.no-ip.org>

Thanx.
On 10/19/06, Javier Fernández-Sanguino Peña <jfs@computer.org> wrote:

On Wed, Oct 18, 2006 at 11:09:35AM +0800, Lestat V wrote:

So, I guess you are saying that if you run 'arp -n' in 'You' and 'Other'
systems in the same VLAN you see this:

Right? How 'peculiar' is that MAC address you are seeing (MAC-X)?


Yes, I mean the same as your illustration.

I think that the 'bridge' option that was brought up in the thread should be
discarded because if you had:


Your argument sounds very reasonable.

1.- Run 'arping MAC-Other'.
    If you get answers from that host then, chances are, there's no bridge in
    between [1], you are being poisoned.


I tried using "arp -an -i eth0" plus "arping [MAC]", and results:
dance:/home/lestat# arp -an -i eth0
? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0
? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0
? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0
? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0
? (10.100.105.1) at 00:00:0C:07:AC:00 [ether] on eth0
AND
arping packets were "100% unanswered"  from .1 and .14's real MAC's (
I get them from their owners), the pecular "00:00:0C:07:AC:00", and
.251(00:07:84:52:55:3C), while did get answered from
.252(00:07:84:52:55:3D).

2.- Run 'tcdump -ni eth0 arp'
    (substitute eth0 with whatever interface you are using, you can also use
     ethereal)


I ping 10.100.105.1 and some other machines while "tcpdump -ni eth0
arp", and got strange things:
07:26:59.473874 arp who-has 10.100.105.78 tell 10.100.105.251
07:27:01.523889 arp who-has 10.100.105.59 tell 10.100.105.105 (I ping it)
07:27:01.524286 arp reply 10.100.105.59 is-at 00:00:0c:07:ac:00
07:27:02.480643 arp who-has 10.100.105.78 tell 10.100.105.251
07:27:09.018116 arp who-has 10.100.105.97 tell 10.100.105.252
07:27:34.600728 arp who-has 10.100.105.13 tell 10.100.105.251
07:27:37.596580 arp who-has 10.100.105.13 tell 10.100.105.251
07:27:44.529843 arp who-has 10.100.105.3 tell 10.100.105.105 (I ping it)
07:27:44.530209 arp reply 10.100.105.3 is-at 00:00:0c:07:ac:00
07:45:15.769629 arp who-has 10.100.105.1 tell 10.100.105.105 (I ping it)
07:45:15.769999 arp reply 10.100.105.1 is-at 00:00:0c:07:ac:00
Look, my ARP request go to myself! While the other machine ask .251 or
.252! Why?

4.- (Do not generate any traffic in the system, this might require you stop a
    number of daemon services that try to connect to other hosts or to the
    Internet) see what ARP packets you get
    in tcpdump Do you see lots of traffic? (gratuitous ARPs for all the network).
    Does your ARP MAC table grow with systems you have not tried to 'talk'
    to?


When I am not ping, no ARP traffic from my machine detected.

Reply to:

Follow-Ups:
- Re: help: duplicate MAC address
  - From: "Lestat V" <dreameration@gmail.com>
- Re: help: duplicate MAC address
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- help: duplicate MAC address
  - From: "Lestat V" <dreameration@gmail.com>
- Re: help: duplicate MAC address
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: help: duplicate MAC address
Next by Date: Re: help: duplicate MAC address
Previous by thread: Re: help: duplicate MAC address
Next by thread: Re: help: duplicate MAC address
Index(es):
- Date
- Thread