So I've been playing around with nmap, and found a curious problem, two devices in the same subnet have the same mac address. I would like to track down the second mac, as the first one is the sonic wall, which has some unsettling implications.
If I'm correct, either I have a nic which was issued with an illegitimate MAC address, or someone is spoofing the my sonic walls mac, thus recieving at least all the broadcast packets.
I'm hoping someone can give me some clues on how to track down the other mac address. I have access to a linux box as well as access to the sonic wall and the patch panel. If it comes down to unplugging every device one by one I can, but other solutions would be appreciated.
Thank you, Sidney
It is presumed you know at least one IP of one of the MAC address users, ideally you need to know both. Are you sure you are not confused in seeing the same MAC in use for two different IPs when infact this is the same physical device and ethernet port with multiple IPs setup on that one device (this is normal and often called multihomed).
Usually people know what every device is on every IP so if you know one of the IPs, find a way to check both IPs are on the network (from your computer), then unplug the known device and see if both IPs disappear. This also indicate multihomed IP use on that device.
It should also be said that if two devices are ordinarily configured and have the same MAC that neither device will operate correctly. This might also help track down, two independent devices not functioning correctly.
They will not operate correctly because the other stations on the network that talk to them, like the data coming in via the router, will flicker between the two devices, based on who used/announced ARP last, the switches in between may also adjust their switching patterns in sympathy with which device used/announced ARP last). When ARP requests go out both will reply, and usually the slowest station back to the listener wins, since they announced ARP last (most recently).
Sometimes this scenario can be so predictable that one device has control for 99% of the time but every so often you get a few minutes of outage (in sympathy with the defacto 3 minute ARP timeouts many stations before re-validation occurs).
The distance (as in number of interlinking switches and speed of ethernet links) affects which ARP announcement maybe seen last by each station on the network. Each stations view maybe different due to this, as the observable ARP reply packets (as seen from their point of view) are ordered differently.
Now if you have some nefarious / covert device that is another matter, since its goal would be to allow the real owner of the MAC to operate as much as possible without being detected.
...
There is a Linux tool
arping, that allows you to find out the MAC address from knowing the IP, without the system needing to respond to ICMP PING (which often does not work for devices).Alternatively; you can use ordinary
arp -ato check the MAC is not listed, thenping 1.2.3.4(which may not reply) and thenarp -alike commands to manually see if a device has appeared with the IP. This shows the device is on the network responding to ARP requests even when it is not responding to ICMP PING requests. This is a poor mansarping....
Use your enterprise switches to lookup the MAC address and the port it is connected on, follow it back until you hit an access port. Shutdown that port (or unplug the device yourself).
This involves connect into the console (or Web UI) of the enterprise switch and looking at the "MAC Address Table" and looking at the port ID. Then working out what the next device along the chain is on that port ID. Eventually you will get to an access port (instead of another switch).
So having located one MAC address user, once it is unplugged, re-validate the other user of the MAC. See if it is still on the network or has also disappeared (indicating it maybe the same physical device).
Now continue to
arpingfor the other device and follow the same procedure until you track the MAC back to the port of the other user.If you do not have enterprise switches then this process comes tedious as you need to physically unplug switch interconnections to split the network in half, check one side, then the other, to narrow down the switches and stations involved.
...
Some switches in security mode will ARP reply to lock-out an unauthorized device on the network. But usually the switch MAC address is used, but you claim you have two devices with the same MAC.
Device that might fake a MAC can be MAC cloning equipment but this is unusual, it has been used for DSL and other Internet connectivity products because some ISPs authenticate your user via the MAC address seen on DHCP.
Other sorts of equipment that mess with MACs are load balancers and high availability systems, usually two devices with a physical port each might move a MAC between them to load balance traffic. This allows the system sending traffic to them to not case which device is receiving the traffic.