Hi, someone asked me how hard it would be for a typical university's network people to detect MAC address spoofing. He was getting bandwidth warnings saying that he has used more than five standard deviations of the mean. Since you're required to register your network card before you can access the university's LAN, I guess anytime you plug your computer in, it will know who the computer is registered to based on the MAC address.

So will falsifying the MAC address go unnoticed for the most part, or does the network automatically check for duplicates. If it finds a duplicate, what is the normal course of action?

BTW, nothing illegal is intended, just good old fashion privacy.

This is very easy to do, simply alter the mac of the network card, or if its built in the motherboard. Some network cards/motherboards don't allow this, but most of the better ones do.

I have a MSI K7N2 Delta with on board Networking, and its simply a setting in the BIOS.

Duplicates, are not always detetected, depends on what their using for authentication. I suspect that they would have duplicate detection going on, also they may only authorise MACs to certain locations.

Your probably not the first to think of this. Also they may have had problems in the past with multiple devices having the same MACs ( cheap mass produced stuff, sent out with the same MAC ). Theres a lot to think about with this.

This little utility might help
http://www-nrg.ee.lbl.gov

It'll still be quite diffiicult to catch who's being naughty unless you can keep track of who connected to which port using what mac address at what time.

Gerneally speaking what happens when you have 2 duplicate MAC addresses on the network is that everything will still work, with the only exception that these 2 devices with identical mac addresses won't be able to talk to each other.
Duplicate mac addresses with different ips in the arp table is valid to most operating systems, and it goes undetected(because ARP protocol is stateless ie it'll accept any arp broadcasts, even if it didn't request it)
unless you deliberately try to detect them.

These high end Cisco switches(ok I'm not so familiar with them) probably implements some kind of mac address security, but definitely not these $30 no-brand 8 port switches you buy on the street.

It gives an university campus WAN with more than 2 buildings but for the moment(building A and building B) that is enough. The server of my faculty is in Building B and have MAC Address x.y.z., and have the website of faculty. Suddenly I can reach the faculty website, ICMP doesn't work (ping, traceroute, tracert, until first hop), normally I call at Dept. of Digital Communications and they says that exist in Building A a duplicate of MAC Addres of my server....???? (wtf?) I ask for location they say that will investigate. So, how can I found the IP of the machine with duplicate MAC? How can I trace it in an WAN ?

If I were a mod, I'd cut this last post out and create a new one maybe.

S3TH76, You might use tools like arp, wireshark and maybe a few others to watch data. From there you might be able to get an IP address. In actuality you can use arp to make a static ip address with this unknown mac. Then see if you can get any data off it.

From the prior posts, you can see that a single user may be duplicating the mac. In a strange possibility one could in fact at some time be on a lan with a real, duplicate mac. There aren't enough mac addresses.