Answer the question
In order to leave comments, you need to log in
On one of the computers in a small local area, does the mac-address in the arp-table change spontaneously?
The enterprise has a network, about 50 machines, 100BASE-TX. There is no DHCP, all addresses are static, like 192.168.1.xxx (mask 255.255.255.0). On all Windows XP machines, go to the Internet through a proxy server (192.168.1.1). The problem appeared suddenly on one of the machines (192.168.1.76). Several times a day it loses connection with the server (no ping, no packets, etc.). It helped to "fix" the network connection. We found that at the moment when the connection is lost, the mac-address of this machine becomes the same as that of the server. Accordingly, if you issue the command to clear the arp cache (arp -d), the connection is immediately restored. At the same time, ipconfig / all shows the correct mac. Virus scan found nothing. Replacing the network card did not help. Setting the mac address to static did not help. arpwatch program(found in the article en.wikipedia.org/wiki/ARP-spoofing ) writes something like “mac address has been changed” (sorry, I don’t remember the exact wording, I’m writing from home).
What could be the reason for such miracles?
Answer the question
In order to leave comments, you need to log in
Sniff the traffic so that you have a packet log at the time of changing the MAC address. Well ... and then it’s clear what to do.
This vir came across repeatedly in locals - http://en.wikipedia.org/wiki/ARP_spoofing
Injected a malicious script onto the pages of sites from other users.
The reason is definitely within your network. And here are two options. Either someone intentionally breaks arp, or the virus is just on one of the machines. For the network admin, it still comes down to one option, one in 50 cars is trying to spoof. If it is not known exactly which of them, then write a network diagram and then analyze it in the same wireshark, if the machine is known for sure and the antivirals are silent, then it is better to reinstall.
In short, it all ended like this. They didn't find any viruses, they switched the computer on which the mac was changed to another switch, and the problem went away. 2 weeks flight is normal. What it was, I don't understand.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question