help: duplicate MAC address

I encouter a situation which I wonder if is abnormal. My Debian
computer is connected via an LAN. These day I encouter intermittent
network disconnection. Then I tried to find out what is going on. I
ping several computer in the LAN including gateway, and then
"/usr/sbin/arp -an -i eth0", which command outputed something like :

? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0 (I suppose this
is one of gateways)
? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0 (this is
another of gateways I suppose)
? (10.100.105.13) at 00:00:0C:07:AC:00 [ether] on eth0
? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0( this seems a
common virtual IP for the two gateway)
? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0

Why do computers other than real IP of gateways have the same pecular
MAC address? Is it normal? If not, what may be going on?

Thanks for response in advance.

dreameration@gmail.com wrote:

> Why do computers other than real IP of gateways have the same pecular
> MAC address? Is it normal? If not, what may be going on?

There are three possible reasons two IPs on the same network may appear
to have the same MAC address:

1) The two IPs are assigned to the same machine and the same interface.
So obviously they have the same MAC address.

2) One machine is the gateway to the other (proxy ARP), so both
machines appear to have the gateway's MAC address from your vantage
point. (Since you transmit *to* the same interface to reach either of
them.)

3) Some joker has configured a machine to the same MAC address as
another machine. This could happen accidentally if someone hard-coded a
MAC in one machine and then copied the configuration to another one.

DS

"David Schwartz" <davids@webmaster.com> wrote in
news:1161138602.569181.137470@k70g2000cwa.googlegr oups.com:

>
> dreameration@gmail.com wrote:
>
>> Why do computers other than real IP of gateways have the same pecular
>> MAC address? Is it normal? If not, what may be going on?
>
> There are three possible reasons two IPs on the same network may appear
> to have the same MAC address:
>
> 1) The two IPs are assigned to the same machine and the same interface.
> So obviously they have the same MAC address.
>
> 2) One machine is the gateway to the other (proxy ARP), so both
> machines appear to have the gateway's MAC address from your vantage
> point. (Since you transmit *to* the same interface to reach either of
> them.)
>
> 3) Some joker has configured a machine to the same MAC address as
> another machine. This could happen accidentally if someone hard-coded a
> MAC in one machine and then copied the configuration to another one.
>



I just recently had this happen with two factory-installed NICs. Same
brand, same model, same MAC address, No changes to the factory config.

I always thought the chance of this happening was very remote, but there
it was.



--
TeGGeR®

The Unofficial Honda/Acura FAQ
www.tegger.com/hondafaq/

David Schwartz wrote:
> dreameration@gmail.com wrote:
>
> > Why do computers other than real IP of gateways have the same pecular

Thanks.
I tried some other tests on two other computer in the same LAN. On
these two machines I ping and "arp" as I did in my own computer, and
got different results: on them, the computers that on my ARP table have
the same MAC address as gateway have unique and different MAC address,
while only my computer on their ARP table has the same MAC as the
gateway.

David Schwartz wrote:
> dreameration@gmail.com wrote:
>
> > Why do computers other than real IP of gateways have the same pecular

Thanks.
I tried some other tests on two other computer in the same LAN. On
these two machines I ping and "arp" as I did in my own computer, and
got different results: on them, the computers that on my ARP table have
the same MAC address as gateway have unique and different MAC address,
while only my computer on their ARP table has the same MAC as the
gateway not my real MAC as shown as "ifconfig" output.

In article <1161140582.605966.76350@m7g2000cwm.googlegroups.c om>,
<dreameration@gmail.com> wrote:
>David Schwartz wrote:
>> dreameration@gmail.com wrote:
>>
>> > Why do computers other than real IP of gateways have the same pecular
>
>Thanks.
>I tried some other tests on two other computer in the same LAN. On
>these two machines I ping and "arp" as I did in my own computer, and
>got different results: on them, the computers that on my ARP table have
>the same MAC address as gateway have unique and different MAC address,
>while only my computer on their ARP table has the same MAC as the
>gateway not my real MAC as shown as "ifconfig" output.

Maybe the .13/.14 machine on your network is intercepting your machine's
traffic via ARP spoofing? That machine sends your machine a spoofed ARP
packet telling your machine to use its own MAC address when (you think
you're) talking to the gateway.

================= GPS based time synchronization solutions =================
Patrick Klos Email: patrick@timegeeks.com
Klos Technologies, Inc. Web: http://www.timegeeks.com/
================================================== ==========================

On 17 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<1161135414.678150.181780@i42g2000cwa.googlegroups .com>, dreameration@gmail.com
wrote:

>Then I tried to find out what is going on. I ping several computer in
>the LAN including gateway, and then "/usr/sbin/arp -an -i eth0", which
>command outputed something like :

Something like??? What exactly? (IP addresses can be munged without
to much of a problem, but the actual MAC addresses must be shown.)

>? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0 (I suppose this
>is one of gateways)
>? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0 (this is
>another of gateways I suppose)

[compton ~]$ etherwhois 00:07:84
00-07-84 (hex) Cisco Systems Inc.
000784 (base 16) Cisco Systems Inc.
170 West Tasman Dr.
San Jose CA 95134
UNITED STATES
[compton ~]$

Well, they are from Cisco, but why not look at your routing table - are
those IP addresses listed as gateways in '/sbin/route -n'?

>? (10.100.105.13) at 00:00:0C:07:AC:00 [ether] on eth0
>? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0( this seems a
>common virtual IP for the two gateway)
>? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0

[compton ~]$ etherwhois 00:00:0C
00-00-0C (hex) CISCO SYSTEMS, INC.
00000C (base 16) CISCO SYSTEMS, INC.
170 WEST TASMAN DRIVE
SAN JOSE CA 95134-1706
UNITED STATES
[compton ~]$

That's the original OUI allocation to Cisco.

>Why do computers other than real IP of gateways have the same pecular
>MAC address? Is it normal? If not, what may be going on?

You should ask your network administrator. Given these are Cicso MACs,
my first thought would be Proxy-ARP - where 10.100.105.13 and 10.100.105.14
might be located on a different network cable, and 10.100.105.250 is
forwarding packets for those addresses.

-rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet

That mini-howto may be on your system, or you can find it on the web using
a search engine.

Old guy

Moe Trin wrote:
> On 17 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <1161135414.678150.181780@i42g2000cwa.googlegroups .com>, dreameration@gmail.com
> wrote:
>
> Something like??? What exactly? (IP addresses can be munged without
> to much of a problem, but the actual MAC addresses must be shown.)

The IP and MAC addresses are exact.

> Well, they are from Cisco, but why not look at your routing table - are
> those IP addresses listed as gateways in '/sbin/route -n'?

..250 is my gateway as "route -n" indicates.

Another question: as indicated by "traceroute", packets from my machine
go out via .251 rather than .250 which is shown as gateway with "route
-n" command.

On 18 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<1161210356.070930.213140@f16g2000cwb.googlegroups .com>, dreameration@gmail.com
wrote:

>The IP and MAC addresses are exact.

OK - when you said "something like" rather than "exactly", I misunderstood
what you meant. People tend to be nervous about showing IP addresses, but
you are showing RFC1918 addresses that can not be "attacked" from the
Internet (people so worry about that, forgetting that these addresses are
not reachable from the Internet).

On the other hand, MAC addresses are useless outside of the local collision
domain where they reside, yet some people think they would also permit
"attacks" if they were published. Actually, the information is needed for
troubleshooting, and serves little other useful purpose.

>.250 is my gateway as "route -n" indicates.
>
>Another question: as indicated by "traceroute", packets from my machine
>go out via .251 rather than .250 which is shown as gateway with "route
>-n" command.

I'd run a packet sniffer, such as tcpdump or wireshark (formerly ethereal)
and look at the headers - particularly the TTL which is four octets (bytes)
before the "source" IP address in the IP header.

I don't know what your network looks like, but this sounds like some form
of bridged setup. Do you know what kind of hardware 10.100.105.251 and
10.100.105.252 are as opposed to the much older hardware at 10.100.105.250?

Old guy

Moe Trin wrote:
> On 18 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <1161210356.070930.213140@f16g2000cwb.googlegroups .com>, dreameration@gmail.com
> wrote:
>
> OK - when you said "something like" rather than "exactly", I misunderstood
> what you meant. People tend to be nervous about showing IP addresses, but
> you are showing RFC1918 addresses that can not be "attacked" from the
> Internet (people so worry about that, forgetting that these addresses are
> not reachable from the Internet).
>
> On the other hand, MAC addresses are useless outside of the local collision
> domain where they reside, yet some people think they would also permit
> "attacks" if they were published. Actually, the information is needed for
> troubleshooting, and serves little other useful purpose.

Thank you for your explanation ;-)

> I don't know what your network looks like, but this sounds like some form
> of bridged setup. Do you know what kind of hardware 10.100.105.251 and
> 10.100.105.252 are as opposed to the much older hardware at 10.100.105.250?

I think what got after I tried "tcpdump" and "arping" may server
helpful clue.
(I excerpt some of the outputs):

$arping 10.100.105.1
60 bytes from 00:07:84:52:55:3c (10.100.105.1): index=0 time=619.173
usec
60 bytes from 00:07:84:52:55:3c (10.100.105.1): index=0 time=619.173
usec
$arping 10.100.105.13
60 bytes from 00:e0:4c:8c:a2:d1 (10.100.105.13): index=0 time=393.152
usec
60 bytes from 00:07:84:52:55:3c (10.100.105.13): index=1 time=472.069
usec
$arping 10.100.105.251
60 bytes from 00:07:84:52:55:3c (10.100.105.251): index=0 time=380.993
usec
60 bytes from 00:07:84:52:55:3c (10.100.105.252): index=1 time=465.870
usec
$arping 10.100.105.252
60 bytes from 00:07:84:52:55:3d (10.100.105.252): index=0 time=386.000
usec
60 bytes from 00:07:84:52:55:3c (10.100.105.252): index=1 time=465.870
usec
$arping 10.100.105.250
60 bytes from 00:00:0c:07:ac:00 (10.100.105.250): index=0 time=426.054
usec
60 bytes from 00:00:0c:07:ac:00 (10.100.105.250): index=1 time=391.006
usec

$tcpdump -ei eth0 arp
12:01:34.991778 00:07:84:52:55:3c (oui Unknown) > 00:11:2f:57:9b:6f
(oui
Unknown), ethertype ARP (0x0806), length 60: arp reply 10.100.105.1
is-at
00:00:0c:07:ac:00 (oui Cisco)