yikes! MAC address of default gateway changed ??

James Smallacombe up at 3.am
Thu Feb 11 14:28:58 UTC 2010 

Hi: Please reply-all ; I am not subscribed

On Thu, 11 Feb 2010, Vince Hoffman wrote:
>
>> On 11/02/2010 11:00, James Smallacombe wrote:
>>> Sorry for replying to myself (AND top-posting!) twice in a row, but this
>>> is become a huge concern.  My first thought is that my provider changed
>>> routers or router Ethernet ports, hence the MAC address change.  They
>>> deny this, plus I find the two MAC addresses:
>>> 
>>> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
>
> On 11/02/2010 11:00, James Smallacombe wrote:
>> 
>> Sorry for replying to myself (AND top-posting!) twice in a row, but
>> this is become a huge concern.  My first thought is that my provider
>> changed routers or router Ethernet ports, hence the MAC address
>> change.  They deny this, plus I find the two MAC addresses:
>> 
>> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
>> 
> However in your case, while 00:17:E0 is reasonable (a cisco mac address)
> 00:13:E0 is a little worrying as apparently its a Murata
> Manufacturing(whoever they are) mac address (see
> http://www.coffer.com/mac_find/?string=00%3A13%3Ae0%3A4f%3Ab9%3Ac0)

Well, that rules out anything by the provider.

> you can check if its a static entry in your arp tables using
> arp -a | grep permanent
> The only permanent entries should be your local IPs (whatever you have
> configured on your interfaces) unless you have any others you have put
> in yourself.
> so for my server i have
> root at seaurchin ~]# arp -a | grep permanent
> seaurchin.the.namesco.net (85.233.xxx.xxx) at 00:11:43:d8:2c:df on em0
> permanent [ethernet]
> ? (10.20.0.3) at 00:11:43:d8:2c:df on em0 permanent [ethernet]

Obviously the ARP entry is long gone now and I don't recall if it was 
permanent or not.  It just leaves a couple of questions:

If it was caused by a malicious arp command on my server, wouldn't a 
reboot have gotten rid of it?  Would it also result in a "NO CARRIER" on 
the interface?  Network did not come back until the Ethernet card was 
swapped.

The bottom line is whether it is possible for a NIC failure to cause the 
kernel to register an ARP change.

Thanks again to everyone...

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================

More information about the freebsd-questions mailing list