help: duplicate MAC address

I encouter a situation which I wonder if is abnormal. My Debian
computer is connected via an LAN. These day I encouter intermittent
network disconnection. Then I tried to find out what is going on. I
ping several computer in the LAN including gateway, and then
"/usr/sbin/arp -an -i eth0", which command outputed something like :

? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0 (I suppose this
is one of gateways)
? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0 (this is
another of gateways I suppose)
? (10.100.105.13) at 00:00:0C:07:AC:00 [ether] on eth0
? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0( this seems a
common virtual IP for the two gateway)
? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0

Why do computers other than real IP of gateways have the same pecular
MAC address? Is it normal? If not, what may be going on?

Thanks for response in advance.

(E-Mail Removed) wrote:

> Why do computers other than real IP of gateways have the same pecular
> MAC address? Is it normal? If not, what may be going on?

There are three possible reasons two IPs on the same network may appear
to have the same MAC address:

1) The two IPs are assigned to the same machine and the same interface.
So obviously they have the same MAC address.

2) One machine is the gateway to the other (proxy ARP), so both
machines appear to have the gateway's MAC address from your vantage
point. (Since you transmit *to* the same interface to reach either of
them.)

3) Some joker has configured a machine to the same MAC address as
another machine. This could happen accidentally if someone hard-coded a
MAC in one machine and then copied the configuration to another one.

DS

"David Schwartz" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) oups.com:

>
> (E-Mail Removed) wrote:
>
>> Why do computers other than real IP of gateways have the same pecular
>> MAC address? Is it normal? If not, what may be going on?
>
> There are three possible reasons two IPs on the same network may appear
> to have the same MAC address:
>
> 1) The two IPs are assigned to the same machine and the same interface.
> So obviously they have the same MAC address.
>
> 2) One machine is the gateway to the other (proxy ARP), so both
> machines appear to have the gateway's MAC address from your vantage
> point. (Since you transmit *to* the same interface to reach either of
> them.)
>
> 3) Some joker has configured a machine to the same MAC address as
> another machine. This could happen accidentally if someone hard-coded a
> MAC in one machine and then copied the configuration to another one.
>



I just recently had this happen with two factory-installed NICs. Same
brand, same model, same MAC address, No changes to the factory config.

I always thought the chance of this happening was very remote, but there
it was.



--
TeGGeR®

The Unofficial Honda/Acura FAQ
www.tegger.com/hondafaq/

David Schwartz wrote:
> (E-Mail Removed) wrote:
>
> > Why do computers other than real IP of gateways have the same pecular

Thanks.
I tried some other tests on two other computer in the same LAN. On
these two machines I ping and "arp" as I did in my own computer, and
got different results: on them, the computers that on my ARP table have
the same MAC address as gateway have unique and different MAC address,
while only my computer on their ARP table has the same MAC as the
gateway.

David Schwartz wrote:
> (E-Mail Removed) wrote:
>
> > Why do computers other than real IP of gateways have the same pecular

Thanks.
I tried some other tests on two other computer in the same LAN. On
these two machines I ping and "arp" as I did in my own computer, and
got different results: on them, the computers that on my ARP table have
the same MAC address as gateway have unique and different MAC address,
while only my computer on their ARP table has the same MAC as the
gateway not my real MAC as shown as "ifconfig" output.

TeGGeR® wrote:
>
> I just recently had this happen with two factory-installed NICs. Same
> brand, same model, same MAC address, No changes to the factory config.
>
> I always thought the chance of this happening was very remote, but there
> it was.
>
The manufacturer is supposed to make sure that each card is issued with
a unique MAC address. What the user does subsequently is up to the user.
Of course, there are valid reasons for specifically assigning your own
MAC, I've done it to a machine where I had to replace the ethernet card
and some software was node-locked to the old card address. Or if you've
got a cable internet connection you might want to keep the
outward-facing MAC address constant when you change PC our router
connected to the cable modem.

--
Dave
mail da (E-Mail Removed) (without the space)
http://www.llondel.org
So many gadgets, so little time

In article <(E-Mail Removed) om>,
<(E-Mail Removed)> wrote:
>David Schwartz wrote:
>> (E-Mail Removed) wrote:
>>
>> > Why do computers other than real IP of gateways have the same pecular
>
>Thanks.
>I tried some other tests on two other computer in the same LAN. On
>these two machines I ping and "arp" as I did in my own computer, and
>got different results: on them, the computers that on my ARP table have
>the same MAC address as gateway have unique and different MAC address,
>while only my computer on their ARP table has the same MAC as the
>gateway not my real MAC as shown as "ifconfig" output.

Maybe the .13/.14 machine on your network is intercepting your machine's
traffic via ARP spoofing? That machine sends your machine a spoofed ARP
packet telling your machine to use its own MAC address when (you think
you're) talking to the gateway.

================= GPS based time synchronization solutions =================
Patrick Klos Email: (E-Mail Removed)
Klos Technologies, Inc. Web: http://www.timegeeks.com/
================================================== ==========================

On 17 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

>Then I tried to find out what is going on. I ping several computer in
>the LAN including gateway, and then "/usr/sbin/arp -an -i eth0", which
>command outputed something like :

Something like??? What exactly? (IP addresses can be munged without
to much of a problem, but the actual MAC addresses must be shown.)

>? (10.100.105.251) at 00:07:84:52:55:3C [ether] on eth0 (I suppose this
>is one of gateways)
>? (10.100.105.252) at 00:07:84:52:55:3D [ether] on eth0 (this is
>another of gateways I suppose)

[compton ~]$ etherwhois 00:07:84
00-07-84 (hex) Cisco Systems Inc.
000784 (base 16) Cisco Systems Inc.
170 West Tasman Dr.
San Jose CA 95134
UNITED STATES
[compton ~]$

Well, they are from Cisco, but why not look at your routing table - are
those IP addresses listed as gateways in '/sbin/route -n'?

>? (10.100.105.13) at 00:00:0C:07:AC:00 [ether] on eth0
>? (10.100.105.250) at 00:00:0C:07:AC:00 [ether] on eth0( this seems a
>common virtual IP for the two gateway)
>? (10.100.105.14) at 00:00:0C:07:AC:00 [ether] on eth0

[compton ~]$ etherwhois 00:00:0C
00-00-0C (hex) CISCO SYSTEMS, INC.
00000C (base 16) CISCO SYSTEMS, INC.
170 WEST TASMAN DRIVE
SAN JOSE CA 95134-1706
UNITED STATES
[compton ~]$

That's the original OUI allocation to Cisco.

>Why do computers other than real IP of gateways have the same pecular
>MAC address? Is it normal? If not, what may be going on?

You should ask your network administrator. Given these are Cicso MACs,
my first thought would be Proxy-ARP - where 10.100.105.13 and 10.100.105.14
might be located on a different network cable, and 10.100.105.250 is
forwarding packets for those addresses.

-rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet

That mini-howto may be on your system, or you can find it on the web using
a search engine.

Old guy

Moe Trin wrote:
> On 17 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
> <(E-Mail Removed) .com>, (E-Mail Removed)
> wrote:
>
> Something like??? What exactly? (IP addresses can be munged without
> to much of a problem, but the actual MAC addresses must be shown.)

The IP and MAC addresses are exact.

> Well, they are from Cisco, but why not look at your routing table - are
> those IP addresses listed as gateways in '/sbin/route -n'?

..250 is my gateway as "route -n" indicates.

Another question: as indicated by "traceroute", packets from my machine
go out via .251 rather than .250 which is shown as gateway with "route
-n" command.

On 18 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, (E-Mail Removed)
wrote:

>The IP and MAC addresses are exact.

OK - when you said "something like" rather than "exactly", I misunderstood
what you meant. People tend to be nervous about showing IP addresses, but
you are showing RFC1918 addresses that can not be "attacked" from the
Internet (people so worry about that, forgetting that these addresses are
not reachable from the Internet).

On the other hand, MAC addresses are useless outside of the local collision
domain where they reside, yet some people think they would also permit
"attacks" if they were published. Actually, the information is needed for
troubleshooting, and serves little other useful purpose.

>.250 is my gateway as "route -n" indicates.
>
>Another question: as indicated by "traceroute", packets from my machine
>go out via .251 rather than .250 which is shown as gateway with "route
>-n" command.

I'd run a packet sniffer, such as tcpdump or wireshark (formerly ethereal)
and look at the headers - particularly the TTL which is four octets (bytes)
before the "source" IP address in the IP header.

I don't know what your network looks like, but this sounds like some form
of bridged setup. Do you know what kind of hardware 10.100.105.251 and
10.100.105.252 are as opposed to the much older hardware at 10.100.105.250?

Old guy