yikes! MAC address of default gateway changed ??
James Smallacombe
up at 3.am
Thu Feb 11 14:28:58 UTC 2010
Hi: Please reply-all ; I am not subscribed
On Thu, 11 Feb 2010, Vince Hoffman wrote:
>
>> On 11/02/2010 11:00, James Smallacombe wrote:
>>> Sorry for replying to myself (AND top-posting!) twice in a row, but this
>>> is become a huge concern. My first thought is that my provider changed
>>> routers or router Ethernet ports, hence the MAC address change. They
>>> deny this, plus I find the two MAC addresses:
>>>
>>> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
>
> On 11/02/2010 11:00, James Smallacombe wrote:
>>
>> Sorry for replying to myself (AND top-posting!) twice in a row, but
>> this is become a huge concern. My first thought is that my provider
>> changed routers or router Ethernet ports, hence the MAC address
>> change. They deny this, plus I find the two MAC addresses:
>>
>> 00:17:e0:4f:b9:c0 to 00:13:e0:4f:b9:c0
>>
> However in your case, while 00:17:E0 is reasonable (a cisco mac address)
> 00:13:E0 is a little worrying as apparently its a Murata
> Manufacturing(whoever they are) mac address (see
> http://www.coffer.com/mac_find/?string=00%3A13%3Ae0%3A4f%3Ab9%3Ac0)
Well, that rules out anything by the provider.
> you can check if its a static entry in your arp tables using
> arp -a | grep permanent
> The only permanent entries should be your local IPs (whatever you have
> configured on your interfaces) unless you have any others you have put
> in yourself.
> so for my server i have
> root at seaurchin ~]# arp -a | grep permanent
> seaurchin.the.namesco.net (85.233.xxx.xxx) at 00:11:43:d8:2c:df on em0
> permanent [ethernet]
> ? (10.20.0.3) at 00:11:43:d8:2c:df on em0 permanent [ethernet]
Obviously the ARP entry is long gone now and I don't recall if it was
permanent or not. It just leaves a couple of questions:
If it was caused by a malicious arp command on my server, wouldn't a
reboot have gotten rid of it? Would it also result in a "NO CARRIER" on
the interface? Network did not come back until the Ethernet card was
swapped.
The bottom line is whether it is possible for a NIC failure to cause the
kernel to register an ARP change.
Thanks again to everyone...
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the freebsd-questions
mailing list