NIC Having Multiple IP Addresses?

Dear All,

I am running slackware 10.0 on a PC which is part of an Ethernet Local
Area Network.
When I do the following

# ifconfig eth0 down

the lights on the ethernet switch port to which the computer is
connected still keep blinking.
Which means there is still traffic flowing to and from the computer!
This should not be the
case as the /dev/eth0 has only one IP assigned to it.

Is there such a possibility that the interface card is assigned two IP
addresses, the
malicious one being not shown up in the ifconfig output and the
interface still keeps running
despite I turned it off?

If so, then how do I find and confirm this happening?

This, in fact, happened to a windows machine that I had. I 'disabled'
the internet connection
and still the machine responded ping to an IP address that did not show
up anywhere in
the output of ipconfig. The switch lights also kept blinking. This was
later discovered to be set-up on that particular machine in the
registry settings.

Thanks in advance for anyone helping me into this!

A.

On Mon, 24 Jul 2006 05:23:51 -0700, Anonymous wrote:

> Is there such a possibility that the interface card is assigned two IP
> addresses, the
> malicious one being not shown up in the ifconfig output and the
> interface still keeps running
> despite I turned it off?
>
> If so, then how do I find and confirm this happening?

$ /sbin/ifconfig -a

Dave Uhring wrote:
> On Mon, 24 Jul 2006 05:23:51 -0700, Anonymous wrote:
>
> > Is there such a possibility that the interface card is assigned two IP
> > addresses, the
> > malicious one being not shown up in the ifconfig output and the
> > interface still keeps running
> > despite I turned it off?
> >
> > If so, then how do I find and confirm this happening?
>
> $ /sbin/ifconfig -a

I did this and it still shows the same output as /sbin/ifconfig. No
further details!
Is there any other tool that directly queries the NIC without going
through OS calls.
First three octets of the Ethernet address are: 00:0C:F1 -- which
ethereal shows to be Intel. So any vendor made tool or any other thing
that I can probably use?

Thanks in advance for any help!

A.

Anonymous wrote:
> Dear All,
>
> I am running slackware 10.0 on a PC which is part of an Ethernet Local
> Area Network.
> When I do the following
>
> # ifconfig eth0 down
>
> the lights on the ethernet switch port to which the computer is
> connected still keep blinking.
> Which means there is still traffic flowing to and from the computer!
>
> [snip]

Which means the NIC is still electrically active (because it still has
power), so the switch forwards it broadcasts, arp requests, and anything
else it can't filter based on MAC address. The only way to stop that is
to power down the computer or unplug the network cable. If your
computer has wake-on-lan, even powering down won't stop the traffic.

Nothing bad is happening.

On 24 Jul 2006 05:23:51 -0700, Anonymous <(E-Mail Removed)> wrote:
> Dear All,
>
> I am running slackware 10.0 on a PC which is part of an Ethernet Local
> Area Network.
> When I do the following
>
> # ifconfig eth0 down
>
> the lights on the ethernet switch port to which the computer is
> connected still keep blinking.
> Which means there is still traffic flowing to and from the computer!
> This should not be the
> case as the /dev/eth0 has only one IP assigned to it.
>
> Is there such a possibility that the interface card is assigned two IP
> addresses, the
> malicious one being not shown up in the ifconfig output and the
> interface still keeps running
> despite I turned it off?

A couple of possibilities are that the nic is still connected, therefore,
it may autonegotiate speed with a switch, or would see traffic on a hub.

It may also still receive arp inqueries or may be in the arp cache of
another machine. Linux typically answers arp requests for any IP on it,
even from a different interface (even though a firewall may prevent
actually connecting to such an IP).

It is actually possible to connect to some devices by manually setting an
arp entry on another machine. For example routers and other devices can
often be initially configured by manually assigning them an IP in your
local arp, and using that IP to access their web or telnet config. That
often helps if you do not have DHCP, but need to configure a device
without Windows software.

So the only sure way to stop traffic on a nic is to unplug it.

Allen Kistler <(E-Mail Removed)> wrote in news:Mv4xg.178480$F_3.91757
@newssvr29.news.prodigy.net:

> Anonymous wrote:
>> Dear All,
>>
>> I am running slackware 10.0 on a PC which is part of an Ethernet Local
>> Area Network.
>> When I do the following
>>
>> # ifconfig eth0 down
>>
>> the lights on the ethernet switch port to which the computer is
>> connected still keep blinking.
>> Which means there is still traffic flowing to and from the computer!
>>
>> [snip]
>
> Which means the NIC is still electrically active (because it still has
> power), so the switch forwards it broadcasts, arp requests, and anything
> else it can't filter based on MAC address. The only way to stop that is
> to power down the computer or unplug the network cable. If your
> computer has wake-on-lan, even powering down won't stop the traffic.
>
> Nothing bad is happening.
>

If the switch is a managed one then he could disable the port on the
switch.

Kalzmon.

Anonymous <(E-Mail Removed)> wrote:
> When I do the following
> # ifconfig eth0 down
> the lights on the ethernet switch port to which the computer is
> connected still keep blinking. Which means there is still traffic
> flowing to and from the computer!

Actually that's quite correct and normal. Ifconfig does not interrupt
the physical network layer, so the switch knows there's something still
plugged in. So it continues to route broadcast traffic (ARP requests,
for example). For a short time after you've done the ifdown the switch
will also continue to route traffic for that interface as it will have
learned that the interface was accepting (and generating) traffic.

You can check the physical link status with a tool such as "mii-tool".
Here are three example outputs:

# mii-tool eth0
SIOCGMIIPHY on 'eth0' failed: Invalid argument

There's a physical link but the interface is not configured. This
should correspond to the situation you've described

# mii-tool eth1
eth1: negotiated 100baseTx-FD, link ok

There's a physical link and it's got IP configuration

# mii-tool eth2
eth2: no link

There's no cable plugged in


> Is there such a possibility that the interface card is assigned two
> IP addresses

Yes that's quite possible

> the malicious one being not shown up in the ifconfig
> output and the interface still keeps running despite I turned it off?

But this bit is very unlikely.


> If so, then how do I find and confirm this happening?

Try "ifconfig" to see all the active interfaces. If it's not showing up
in the ifconfig output then you may have been rooted, and it probably
won't show anywhere else.

Chris

Chris Davies wrote:
> Anonymous <(E-Mail Removed)> wrote:
> > When I do the following
> > # ifconfig eth0 down
> > the lights on the ethernet switch port to which the computer is
> > connected still keep blinking. Which means there is still traffic
> > flowing to and from the computer!
>
> Actually that's quite correct and normal. Ifconfig does not interrupt
> the physical network layer, so the switch knows there's something still
> plugged in. So it continues to route broadcast traffic (ARP requests,
> for example). For a short time after you've done the ifdown the switch
> will also continue to route traffic for that interface as it will have
> learned that the interface was accepting (and generating) traffic.
>
> You can check the physical link status with a tool such as "mii-tool".
> Here are three example outputs:
>
> # mii-tool eth0
> SIOCGMIIPHY on 'eth0' failed: Invalid argument
>
> There's a physical link but the interface is not configured. This
> should correspond to the situation you've described
>
> # mii-tool eth1
> eth1: negotiated 100baseTx-FD, link ok
>
> There's a physical link and it's got IP configuration
>
> # mii-tool eth2
> eth2: no link
>
> There's no cable plugged in
>
>
> > Is there such a possibility that the interface card is assigned two
> > IP addresses
>
> Yes that's quite possible
>
> > the malicious one being not shown up in the ifconfig
> > output and the interface still keeps running despite I turned it off?
>
> But this bit is very unlikely.
>
>
> > If so, then how do I find and confirm this happening?
>
> Try "ifconfig" to see all the active interfaces. If it's not showing up
> in the ifconfig output then you may have been rooted, and it probably
> won't show anywhere else.
>
> Chris

Interesting result in my situation:

#ifconfig eth0 down
#ifconfig
gives details of lo (loopback) interface. NO other interface or IP
shows up.

#mii-tool eth0
eth0: negotiated 100baseTx-FD, link ok

Which means that it still has an IP assigned.

What would that mean? Any advice on how should I proceed further?
How should I find the dubious IP assigned to the machine? I would then
probably use
a sniffer to watch the traffice flow from that IP?

Any help will be greatly appreciated. Many thanks in advance!

A.

Anonymous wrote:

> Interesting result in my situation:
>
> #ifconfig eth0 down
> #ifconfig
> gives details of lo (loopback) interface. NO other interface or IP
> shows up.
>
> #mii-tool eth0
> eth0: negotiated 100baseTx-FD, link ok
>
> Which means that it still has an IP assigned.

NO link is ok on ETHERNET LEVEL not IP

>
> What would that mean? Any advice on how should I proceed further?
> How should I find the dubious IP assigned to the machine? I would then
> probably use
> a sniffer to watch the traffice flow from that IP?
>

you don't need an ip address to sniff traffic on ethernet

> Any help will be greatly appreciated. Many thanks in advance!
>
> A.
>

Philippe WEILL wrote:
> Anonymous wrote:
>
> > Interesting result in my situation:
> >
> > #ifconfig eth0 down
> > #ifconfig
> > gives details of lo (loopback) interface. NO other interface or IP
> > shows up.

For me (and I guess because somehow IPv6 is installed) -- Mine shows
~$ sudo ifconfig
shows eth0 and lo

whereas;
~$ sudo ifconfig -a
shows eth0 and lo, and sit0
---------
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)


--------

Also note: I have the WOL wire connected to the Mobo header -- so even
whenh I power down completely the NIC indicator light (LED) remains on
-- however, I don't notice any d/l traffic from the other LEDs. Hrmm, I
wonder if upload traffic would show as a flashing LED as well.

> > #mii-tool eth0
> > eth0: negotiated 100baseTx-FD, link ok
> >
> > Which means that it still has an IP assigned.

Is it possible you have "Zeroconf" installed ? and perhaps Windoze's
NetBEUI (non-routable), or NetBIOS (a shame and not really a protocol)
-- or even a Macintosh's box is still trying to communicate with the
device(NIC) -- EVEN THOUGH, the TCP/IP link (ifdown) is down.

Many of the other responders mention arp packets and such -- referring
to what i call general network 'chatter' -- but I'm very green in this
area, and even on Linux (Debian Sid)

> NO link is ok on ETHERNET LEVEL not IP

I'm having a little trouble understanding that above comment, as it
relates to the results of "mii-tool" -- can you please perhaps
elaborate a bit more ? It 'seems' to conflict with what
Chris Davies suggested -- the output of mii-tools appears to still
show an IP config up and running. Possible that the OPs ifup/ifdown
commands didn't actually work as thought ??

> > What would that mean? Any advice on how should I proceed further?
> > How should I find the dubious IP assigned to the machine? I would then
> > probably use
> > a sniffer to watch the traffice flow from that IP?

> you don't need an ip address to sniff traffic on ethernet

So - do I understand ? most of the OP's issue(s) have to do with the 7
different "Network" layers, and perhaps the OP (and I) am confusing
what occurs (or can/cannot) at any given layer?

> > Any help will be greatly appreciated. Many thanks in advance!

Thanks from me as well

Regards