dbpatterson <dbpatt@gmail.com> wrote:
> I have an IBM X40 with an Intel NIC, shows up as:
> em0 at pci1 dev 1 function 0 "Intel PRO/1000MT Mobile (82541GI)" rev
> 0x00: irq 11, address 00:0a:e4:2b:0e:63
>
> I'm in a little NAT'd subnet, controlled by dhcp. So I dhclient em0 to
> set it up. This gets an IP address, perfectly fine, and sets up the
> gateway, dns, etc... and I can ping the gateway, and also, the DNS
> resolution is working, as a ping to an external address shows an IP
> it's trying to hit, but no packets ever come back. tcpdump shows only
> outgoing, never anything coming back.
>
> dmesg shows:
> duplicate IP address 10.1.10.199 sent from ethernet address
> 00:02:a5:26:fc:b3
>
> which makes me thing that this IP address seems to have been also
> assigned to another computer/device
>
> Now I'm really wondering, why is this happening? booting up in a linux
> livecd gets the same IP, but it works perfectly fine.
>
> is there something I'm doing wrong? This is extremely frustrating
> (having to cart around a big pccard NIC kind of takes away from the
> subnotebook effect)....
You should be looking up what lives on 10.1.10.199, 00:02:a5:26:fc:b3.
If there's actually something there, OpenBSD is right, the DHCP server
is configured wrong [1], and Linux just happened to work for the time
you tried.
For what it's worth, 00:02:a5:26:fc:b3 is assigned to Compaq, and it is
not entirely unlikely that you'll find a Compaq-made card in a
Compaq-made computer.
net/arping can verify that the MAC address is in use; net/nmap might
give a clue about what services and possible OS is running on this
machine. Try getting a non-duplicate IP and then running, as root, nmap
-T4 -A 10.1.10.199 [2]. This should give a result like
# nmap -T4 -A 192.168.14.2
Starting Nmap 4.20 (
http://insecure.org ) at 2007-08-20 11:31 CEST
Interesting ports on melpomene.jschipper.dynalias.net (192.168.14.2):
Not shown: 1694 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6 (protocol 2.0)
25/tcp open smtp
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port25-TCP:V=4.20%I=7%D=8/20%Time=46C95FBF%P=i386-unknown-openbsd4.1%r(
SF:NULL,5C,"220\x20melpomene\.jschipper\.dynalias\ .net\x20ESMTP\x20server\
SF:.\x20Welcome!\x20Abuse\x20will\x20get\x20you\x2 0in\x20trouble\.\r\n")%r
SF
Help,85,"220\x20melpomene\.jschipper\.dynalias \.net\x20ESMTP\x20server
SF:\.\x20Welcome!\x20Abuse\x20will\x20get\x20you\x 20in\x20trouble\.\r\n502
SF:\x205\.5\.2\x20Error:\x20command\x20not\x20reco gnized\r\n");
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 3.X|4.X (96%)
Aggressive OS guesses: OpenBSD 3.9 - 4.0 (96%), OpenBSD 4.0 (x86) (92%),
OpenBSD 4.0 (CURRENT) macppc (89%), OpenBSD 4.0 (sparc64) (89%), OpenBSD
3.4 (x86) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 0 hops
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results
at
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 78.050 seconds
which can tell you quite a bit. In this case, we even find the hostname
as reverse DNS works ('Interesting ports on
melpomene.jschipper.dynalias.net (192.168.14.2)'); however, as this
might not be the case, do note that there are other ways of discovering
the hostname.
Many services will (might) give out the hostname when you connect; if
SSH works and you can log in, that's probably easiest, but you can get
hostnames from protocols like FTP, SMTP, and sometimes HTTP as well (try
looking for
http://10.1.10.199/any-nonexistent-page). In this case, my
custom mail server header confused nmap, but the hostname is easily
found - the 'unrecognized fingerprint' reads
"melpomene.jschipper.dynalias.net ESMTP server. Welcome! Abuse will get
you in trouble.".
OS detection is imperfect - this machine runs -current, aka OpenBSD
4.2-beta - but it did get the 'OpenBSD' part right.
Of course, it *is* possible that there is some horrible OpenBSD bug that
makes OpenBSD believe that the address is in use when it's not. But that
is not the most likely scenario...
Joachim
[1] Or the people setting up the DHCP server don't know about
10.1.10.199, which some guy might have set up with a static IP for some
reason.
[2] This almost certainly won't crash the host, your network, or kill
kittens. but you do get to keep the pieces. System administrators tend
to be nervous when seeing nmap, as quickly taking stock of a network is
something that crackers like to do, too. If you don't want to or can not
use nmap, 'nc 10.1.10.199 <port>', from another IP, is a bit less
convenient but gives the same result.
Also, -T4 specifies that nmap should scan pretty quickly. If you want to
ease network load, use a lower number.