1

I'm experiencing an issue that's causing a lot of problems on our LAN.

I have a Windows Server with a single NIC, 192.168.0.100

I have certain services running on the server that I am having connection issue with, database being one, SQL.

When accessing this issue I notice that if I send a broadcast arp request for the IP 192.168.0.100 it returns a bunch of different MAC addresses including the correct MAC address of the server.. I get 8 different addresses in the response.

I assume this is causing the connection issues.

My question is, I've cleared the arp table on all our Switches and Routers. (I restarted them also). How can I find out where these are stored and why are they responding for this IP.

Thanks in advance

From my linux machine:

rh@deb-967:~$ arping -b 192.168.0.100
ARPING 192.168.0.100 from 192.168.0.16 eth0

Unicast reply from 192.168.0.100 [xx:xx:xx:xx:BB:A9]  0.582ms
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:CR:23]  0.602ms
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:C8:76]  0.613ms
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:NH:K9]  0.623ms
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:HG:39]  0.632ms
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:CF:02]  0.643ms  <<-- Correct Mac
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:E6:49]  0.652ms
Unicast reply from 192.168.0.100 [xx:xx:xx:xx:DH:BU]  0.662ms
^CSent 1 probes (1 broadcast(s))
Received 8 response(s)

When I perform the same for a LAN server that's functioning correctly I get...

rh@deb-967:~$ arping -b 192.168.0.112
ARPING 192.168.0.112 from 192.168.0.16 eth0
Unicast reply from 192.168.0.112 [xx:xx:xx:xx:xx:32]  0.659ms <-- Correct MAC
Unicast reply from 192.168.0.112 [xx:xx:xx:xx:xx:32]  0.801ms <-- Correct MAC
Unicast reply from 192.168.0.112 [xx:xx:xx:xx:xx:32]  0.732ms <-- Correct MAC
^CSent 3 probes (3 broadcast(s))
Received 3 response(s)

EDIT....

Traced one of the offending MACs to a machine on the LAN, here is the IP config details...

C:\Windows\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : pc5434
Primary Dns Suffix  . . . . . . . : mydomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . : mydomain.local
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : xx:xx:xx:xx:BB:A9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : xxxx::11c:xxxx:30b:xxxx%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.78(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 11 October 2016 17:45:01
Lease Expires . . . . . . . . . . : 19 October 2016 17:44:57
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.20
DHCPv6 IAID . . . . . . . . . . . : 230497568
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1R-3D-65-58-xx:xx:xx:xx:BB:A9

DNS Servers . . . . . . . . . . . : 192.168.0.20
                                   192.168.0.40
NetBIOS over Tcpip. . . . . . . . : Enabled
riker
  • 11
  • 5
  • What switches do you have? – hertitu Oct 13 '16 at 10:50
  • @hertitu A range of Netgear smart switches, our main stack is GS724TS, we also have some GS724T – riker Oct 13 '16 at 10:59
  • I think other computer are infected by a virus which is doing ARP Spoofing attack. – SuB Oct 15 '16 at 21:10
  • @SuB Ill check the AV logs. Nothing in our management system. How can I check this on the machine if the AV is clear? – riker Oct 18 '16 at 10:12
  • @riker : AV can't detect new malware all the time. Some malware use 0-day vulnerabilities which is not known by AV. At first find out which computer reply to `arping -b 192.168.0.100`. Yes, you found out their MAC Addresses, but this does not mean that they are making fake ARP Response. Any computer in your vlan can make this ARP Response! Run `Wireshark` on every computer like `xx:xx:xx:xx:BB:A9` and check this computer is sending ARP Response to ARP Request of 192.168.0.100 – SuB Oct 19 '16 at 05:25
  • @Sub - each of the 7 machines that I remove from the network (one by one) means I get one less arp response each time. All these machines are identical and are all Acer workstations.. Strange that they are all the same models. I rebuilt one of them with a new install of windows and it still shows up, when I turn it off, it doesn’t respond.. When I run Wireshark, they respond. – riker Oct 24 '16 at 11:04
  • @riker : Did you run Wireshark on computers respond the ARP Request? Please disable `promiscuous mode` on wireshark. Maybe your windows DVD is infected. – SuB Oct 28 '16 at 07:46
  • 1
    @Sub - Just got new workstations, straight out of the box onto the domain and it shows up immediately when running `rh@deb-967:~$ arping -b 192.168.0.100`. It's responding for that IP address with it's unique MAC. I rebuilt one of the new workstations with a fresh image (new DVD created direct image from MS MVLS). This time I didn’t join to the domain, it shows up also in the arp reply.. The machines do reply when checking with wireshark. The last 2 machines I've set out on desks have never been used before, they're brand new - How can this be? I'm missing something.. Any ideas? – riker Nov 01 '16 at 10:03

1 Answers1

1

I've never done this on Netgear but according to the GS700TS Smart Switch Software Administration Manual in the web interface you need to go to Switching > Address table > Basic > Address table. Select "search by mac address". Enter one of the "offending" mac addresses (e.g. xx:xx:xx:xx:BB:A9) and click Go.

This will tell you on which switchport this MAC address was learnt so then you can check which device is connected there, and check that device's IP settings.

Note that the port shown can also be a port connecting to another switch, in which case you need to repeat the above steps on that switch.

hertitu
  • 337
  • 1
  • 6
  • ipconfig looks OK to me. The other 7 machines are also workstations, interestingly all in the same area connected to the same switch. I cleared the arp table as per your previous post, no change. – riker Oct 13 '16 at 13:17
  • So the machines do not have that ip address in their ipconfig? Then I would run tcpdump (or wireshark or tshark or whatever) on one, while you run arping again on your machine, and see if it is really that host that is responding. – hertitu Oct 13 '16 at 16:13
  • Another test you could do is to shut down one of theses workstations, repeat the arping, if you still get a response from that MAC it means some other device is spoofing it and you should be able to see in the Mac address table on the switches where the spoofer is located. – hertitu Oct 14 '16 at 06:01
  • thanks, no, they have a unique IP address. When I switch off one or several of the machines the broadcast has less responses. Surely this means those machines are responding? I don't understand why that is. – riker Oct 18 '16 at 09:26
  • Well I'm happy I was able to help with the first part, but now that we're moving into systems territory I'm getting out of my comfort zone so I hope there are others here that can shed more light on it. Only thing I can think of right now is check logs (/var/log/messages ?) for anything at the time of the arping. – hertitu Oct 18 '16 at 12:40