Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vladimir pervokvaker2012-03-02 21:02:32
Computer networks
Vladimir pervokvaker, 2012-03-02 21:02:32

On one of the computers in a small local area, does the mac-address in the arp-table change spontaneously?

The enterprise has a network, about 50 machines, 100BASE-TX. There is no DHCP, all addresses are static, like 192.168.1.xxx (mask 255.255.255.0). On all Windows XP machines, go to the Internet through a proxy server (192.168.1.1). The problem appeared suddenly on one of the machines (192.168.1.76). Several times a day it loses connection with the server (no ping, no packets, etc.). It helped to "fix" the network connection. We found that at the moment when the connection is lost, the mac-address of this machine becomes the same as that of the server. Accordingly, if you issue the command to clear the arp cache (arp -d), the connection is immediately restored. At the same time, ipconfig / all shows the correct mac. Virus scan found nothing. Replacing the network card did not help. Setting the mac address to static did not help. arpwatch program(found in the article en.wikipedia.org/wiki/ARP-spoofing ) writes something like “mac address has been changed” (sorry, I don’t remember the exact wording, I’m writing from home).
What could be the reason for such miracles?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
D
Denis, 2012-03-02
@uscr

Sniff the traffic so that you have a packet log at the time of changing the MAC address. Well ... and then it’s clear what to do.

Report
L
lashtal, 2012-03-02
@lashtal

This vir came across repeatedly in locals - http://en.wikipedia.org/wiki/ARP_spoofing
Injected a malicious script onto the pages of sites from other users.

Report
P
Puma Thailand, 2012-03-02
@opium

Antivirus will save you.

Report
A
Alexey Sundukov, 2012-03-03
@alekciy

The reason is definitely within your network. And here are two options. Either someone intentionally breaks arp, or the virus is just on one of the machines. For the network admin, it still comes down to one option, one in 50 cars is trying to spoof. If it is not known exactly which of them, then write a network diagram and then analyze it in the same wireshark, if the machine is known for sure and the antivirals are silent, then it is better to reinstall.

Report
V
Vladimir pervokvaker, 2012-03-03
@Keroro

Sure, I'll dig...

Report
V
Vladimir pervokvaker, 2012-03-15
@Keroro

In short, it all ended like this. They didn't find any viruses, they switched the computer on which the mac was changed to another switch, and the problem went away. 2 weeks flight is normal. What it was, I don't understand.

Similar questions
S
Sergey2012-07-01 10:16:03
Tell me a method or an online service for accounting in a service center? 21Reply
B
Bugedig2021-07-28 14:12:02
What are the ways to connect on a separate channel with a cell tower? 5Reply
T
Timur Usmanov2015-11-29 19:36:42
How does a VPN server work in Windows 8? 1Reply
E
Evgeny Antyukhin2012-07-08 16:13:14
Why is it possible to print over the network in the local network 192.168.0.1/24, but not in 10.0.127.1/24? 2Reply
A
AWE642012-07-10 13:39:45
How do I connect my WD TV Live media player to my Ubuntu 12.04 laptop? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question