Hi,

I am facing problem on Server regarding MAC address. I dont know how Server bahaves like this. Problem is that server starts to show mac addresses of all connected hosts same. I mean if 30 hosts are connected in LAN then when I give command
$> arp
it shows 30 hosts with different IPs but same MAC. like this

host1 ether B2:CC:BA:E9:CB:AE C eth0
host2 ether B2:CC:BA:E9:CB:AE C eth0
host3 ether B2:CC:BA:E9:CB:AE C eth0
host4 ether B2:CC:BA:E9:CB:AE C eth0
host5 ether B2:CC:BA:E9:CB:AE C eth0

Can anyone tell me where the problem is and how can I resolve it.

Response required urgently


Thanks

is that a real mac address? i can't find the vendor id in any online databases of them: http://standards.ieee.org/regauth/oui/index.shtml sounds like somethign is masquarading the addresses or something, but knowing who commericially owns that mac address would help you out an awful lot.

No there is no MAC like this on our intranet. But it shows specifically this MAC in arp.

I should provide more detail.
It’s an internet gateway. LAN on eth0 and internet on eth1. I have masqueraded some IPs also.

It happens suddenly and when it happens System don’t respond to any query not even ping on that network interface (eth0). But other interface which is connected to internet (eth1) is working fine. One more thing is that other computers on network communicate each other fine that is network is fine.

When it happened I manually remove all the entries from arp table and restart services but nothing. After sometime it starts working itself. I don’t know how.

is very simple somebody on your network is making alias addresses

Please tell me how can I trace it and if someone is doing it then other network is fine.

And This computer cannot ping other systems also

Please guide

use command arp -a and then u must take the cables if u don't have mangemt switch to log on switch and arp from memory of the switch !

I think found some solution. I have manually added arp entries and its working. But I think its not a permanent solution. Infact I used 'tcpdump arp' but could not found the packets due to which arp cache was affected. There was no prob in network and someone was perhaps sending arp replies.

What else can I do to avoid such attacks and how further someone can manipulate my arp cache?

I am still anxious to track the person who is doing it. If there is any other solution then please let me know.

Hello !!! Anyone here can diagnose why arp cache points to the single MAC address and how i can resolve it.

I found some packets

10.0.0.1 is server and its mac is mac 00:90:27:79:72:B0



21:23:32.894552 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.103
21:23:32.894561 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.894675 c1:f5:b9:e2:c3:f7 > 78:bb:f1:00:c8:08, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.103 tell 10.0.0.1
21:23:32.894816 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.105
21:23:32.894823 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.894928 c1:f5:b9:e2:c3:f7 > 08:b0:f1:00:88:df, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.105 tell 10.0.0.1
21:23:32.895079 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.112
21:23:32.895086 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.895198 c1:f5:b9:e2:c3:f7 > 90:96:3b:00:60:df, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.112 tell 10.0.0.1
21:23:32.895333 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.166
21:23:32.895340 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.895445 c1:f5:b9:e2:c3:f7 > d8:9a:3b:00:50:08, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.166 tell 10.0.0.1
21:23:32.895584 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.167
21:23:32.895590 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.895698 c1:f5:b9:e2:c3:f7 > 58:e8:e2:01:28:08, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.167 tell 10.0.0.1
21:23:32.895836 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.181
21:23:32.895843 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.895960 c1:f5:b9:e2:c3:f7 > a0:ec:e2:01:e8:d4, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.181 tell 10.0.0.1
21:23:32.896103 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.182
21:23:32.896109 00:90:27:79:72:b0 > b2:cc:ba:e9:cb:ae, ethertype ARP (0x0806), length 42: arp reply 10.0.0.1 is-at 00:90:27:79:72:b0
21:23:32.896488 c1:f5:b9:e2:c3:f7 > e8:f0:e2:01:a0:08, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.182 tell 10.0.0.1
21:23:32.896675 b2:cc:ba:e9:cb:ae > 00:90:27:79:72:b0, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.1 tell 10.0.0.206

Lemme answer it and close it

someone was sending fake packets on intranet and poisoning cache. Quickly we can assign static MAC addresses of clients like this on linux Box.

arp -s 10.0.0.104 00:60:08:52:F2:F0

Then windows clients we can assign static MAC address of Server also

arp -s 10.0.0.1 00-D1-26-DD-F8-29

On switched network to track the source of such packets is very hard. We can use tools like tcpdump or etherial but most of the work is manual.