Sign in to follow this  
Followers 0
nyphonejacks

confused about host on my network

5 posts in this topic

I just installed Tomato yesterday, replacing ddwrt... it is a fuck ton better.. my 5ghz radio works again, and speed tests from wifi with ddwrt were half what i am now getting with tomato on the 2.4ghz radio (my laptop apparently can not pick up the 5ghz signal.)

 

I was going thru the clients in the router and I found an unidentified client...

I was able to ping this IP

I ran a port scan, all ports closed

I ran Fing.. it did not find this IP on my LAN.

I disconnected all of my wired clients... still able to ping

I connected my laptop with a patch cord and shut down wifi... still able to ping... 

 

mother fucker turns out it was showing me the IP and MAC for my laptop. 

I looked up the MAC before going thru all of this and it showed Inventec Corp, never fucking heard of them so I thought it was some cheap ass knock off tablet or something, not my cheap ass Toshiba laptop.. 

 

I understand the need to have different IP addresses for wired and wireless NICs on my PC... 

I understand that the "connected devices" table in my router is actually an IP reservation table that may show "connected devices" until the lease expires... 

 

but why the fuck was I constantly able to ping the LAN IP address of my laptop, even when it was not connected... 

it even continued to return pings while I did an ipconfig/release in a different command prompt window... 

 

(originally I was starting to write a post asking for help identifying this device, I happened to figure out that it was the LAN IP of my laptop just as I started writing the topic title, but since it confused the shit out of me I figured might as well finish the post, and maybe someone can enlighten me as to why my computer was able to remember its wired LAN IP address (set to DHCP) when it was not connected to anything.... even when I had wifi off and before i connected the LAN cable - and did an ipconfig/release...... )

0

Share this post


Link to post
Share on other sites

i guess an undeucated guess would be to try promiscuous or monitor mode on another device and packet filter, while you try one of these pings? the guess is that for whatever reason it might be internal like loop back (for whatever reason). no idea why it would be.. but is only explanation i could think of that would allow it to ping a device not on the network/nonexistant device.

0

Share this post


Link to post
Share on other sites

Check your ARP cache to make sure it matches the MAC/IP address combo you are pinging?

 

You had the same  laptop plugged in with just a different interface? It's totally possible for the kernel to do that, knowing "I have two IP addresses" I will reply since that's my other interface". (maybe not RFC compliant - unsure).

 

It's either the operating system replying to its other IP address. Another host responding on behalf of your laptop (again, check ARP cache; does it have a multicast address?;  What is your subnet's broadcast address?). OR the AP responding for a client.

 

Just a little tinkering will help you deduce which it is. 

Edited by tekio
0

Share this post


Link to post
Share on other sites

seems to be something within the computer itself, since it appears to continue to reply to pings when nothing else is connected.. seems like strange behavior... 

 

I originally thought there was some rogue device on my network since i kept the same SSID and WPA2 password I thought maybe someone figured out that my wifi password is just two curse words that could actually make sense as a sentence lol... 

 

Guess it is cached somewhere within the computer itself as "remembering" its other IP.. just seemed strange to me once I identified what it was... now I guess its onto how, or why... 

0

Share this post


Link to post
Share on other sites

Is it just loading that entry in the ARP cache? 

arp -a

should show the arp table. I've been having some weird problems with ARP as well. My SSH session keep pausing when the arp entries get flushed form Windows. And apparently my Linux server doesn't like responding to any packets unless it first answers an ARP request.

 

I can see where this is "secure" but this should be secured at other layers to keep ARP broadcasts down. Guess I'll play with the Windows registry to keep dynamic ARP entries longer.  Not really ideal on a host that constantly connects SSH sessions on a large network.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0