SEO

I have an IBM X40 with an Intel NIC, shows up as:
em0 at pci1 dev 1 function 0 "Intel PRO/1000MT Mobile (82541GI)" rev
0x00: irq 11, address 00:0a:e4:2b:0e:63

I'm in a little NAT'd subnet, controlled by dhcp. So I dhclient em0 to
set it up. This gets an IP address, perfectly fine, and sets up the
gateway, dns, etc... and I can ping the gateway, and also, the DNS
resolution is working, as a ping to an external address shows an IP
it's trying to hit, but no packets ever come back. tcpdump shows only
outgoing, never anything coming back.

dmesg shows:
duplicate IP address 10.1.10.199 sent from ethernet address
00:02:a5:26:fc:b3

which makes me thing that this IP address seems to have been also
assigned to another computer/device

Now I'm really wondering, why is this happening? booting up in a linux
livecd gets the same IP, but it works perfectly fine.

is there something I'm doing wrong? This is extremely frustrating
(having to cart around a big pccard NIC kind of takes away from the
subnotebook effect)....

dbpatterson <dbpatt@gmail.com> wrote:
> I have an IBM X40 with an Intel NIC, shows up as:
> em0 at pci1 dev 1 function 0 "Intel PRO/1000MT Mobile (82541GI)" rev
> 0x00: irq 11, address 00:0a:e4:2b:0e:63
>
> I'm in a little NAT'd subnet, controlled by dhcp. So I dhclient em0 to
> set it up. This gets an IP address, perfectly fine, and sets up the
> gateway, dns, etc... and I can ping the gateway, and also, the DNS
> resolution is working, as a ping to an external address shows an IP
> it's trying to hit, but no packets ever come back. tcpdump shows only
> outgoing, never anything coming back.
>
> dmesg shows:
> duplicate IP address 10.1.10.199 sent from ethernet address
> 00:02:a5:26:fc:b3
>
> which makes me thing that this IP address seems to have been also
> assigned to another computer/device
>
> Now I'm really wondering, why is this happening? booting up in a linux
> livecd gets the same IP, but it works perfectly fine.
>
> is there something I'm doing wrong? This is extremely frustrating
> (having to cart around a big pccard NIC kind of takes away from the
> subnotebook effect)....

You should be looking up what lives on 10.1.10.199, 00:02:a5:26:fc:b3.
If there's actually something there, OpenBSD is right, the DHCP server
is configured wrong [1], and Linux just happened to work for the time
you tried.

For what it's worth, 00:02:a5:26:fc:b3 is assigned to Compaq, and it is
not entirely unlikely that you'll find a Compaq-made card in a
Compaq-made computer.

net/arping can verify that the MAC address is in use; net/nmap might
give a clue about what services and possible OS is running on this
machine. Try getting a non-duplicate IP and then running, as root, nmap
-T4 -A 10.1.10.199 [2]. This should give a result like

# nmap -T4 -A 192.168.14.2

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-20 11:31 CEST
Interesting ports on melpomene.jschipper.dynalias.net (192.168.14.2):
Not shown: 1694 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6 (protocol 2.0)
25/tcp open smtp
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port25-TCP:V=4.20%I=7%D=8/20%Time=46C95FBF%P=i386-unknown-openbsd4.1%r(
SF:NULL,5C,"220\x20melpomene\.jschipper\.dynalias\ .net\x20ESMTP\x20server\
SF:.\x20Welcome!\x20Abuse\x20will\x20get\x20you\x2 0in\x20trouble\.\r\n")%r
SFHelp,85,"220\x20melpomene\.jschipper\.dynalias \.net\x20ESMTP\x20server
SF:\.\x20Welcome!\x20Abuse\x20will\x20get\x20you\x 20in\x20trouble\.\r\n502
SF:\x205\.5\.2\x20Error:\x20command\x20not\x20reco gnized\r\n");
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 3.X|4.X (96%)
Aggressive OS guesses: OpenBSD 3.9 - 4.0 (96%), OpenBSD 4.0 (x86) (92%),
OpenBSD 4.0 (CURRENT) macppc (89%), OpenBSD 4.0 (sparc64) (89%), OpenBSD
3.4 (x86) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 0 hops
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results
at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 78.050 seconds

which can tell you quite a bit. In this case, we even find the hostname
as reverse DNS works ('Interesting ports on
melpomene.jschipper.dynalias.net (192.168.14.2)'); however, as this
might not be the case, do note that there are other ways of discovering
the hostname.
Many services will (might) give out the hostname when you connect; if
SSH works and you can log in, that's probably easiest, but you can get
hostnames from protocols like FTP, SMTP, and sometimes HTTP as well (try
looking for http://10.1.10.199/any-nonexistent-page). In this case, my
custom mail server header confused nmap, but the hostname is easily
found - the 'unrecognized fingerprint' reads
"melpomene.jschipper.dynalias.net ESMTP server. Welcome! Abuse will get
you in trouble.".

OS detection is imperfect - this machine runs -current, aka OpenBSD
4.2-beta - but it did get the 'OpenBSD' part right.

Of course, it *is* possible that there is some horrible OpenBSD bug that
makes OpenBSD believe that the address is in use when it's not. But that
is not the most likely scenario...

Joachim

[1] Or the people setting up the DHCP server don't know about
10.1.10.199, which some guy might have set up with a static IP for some
reason.
[2] This almost certainly won't crash the host, your network, or kill
kittens. but you do get to keep the pieces. System administrators tend
to be nervous when seeing nmap, as quickly taking stock of a network is
something that crackers like to do, too. If you don't want to or can not
use nmap, 'nc 10.1.10.199 <port>', from another IP, is a bit less
convenient but gives the same result.
Also, -T4 specifies that nmap should scan pretty quickly. If you want to
ease network load, use a lower number.

Hmm, okay I ran the scan (when on a different network card with a
different IP), and I get 0 ports open, basically no information except
that it is indeed up. (and that it is a card registered to compaq).

what's funny is this seems like it is obviously wrong, and something
is up, but every time I start up in linux it works perfectly. Perhaps
the linux box is managing to take over that IP with some kind of ARP
magic, I'm not sure.

knowing this (which I had kind of suspected), is the best solution to
just do a static configuration with a known free IP (the one that is
saved for my pc card NIC) ? or is there some way to force the server
to give me a unique IP?

anyway, thanks for the help.

dbpatterson <dbpatt@gmail.com> wrote:
> Hmm, okay I ran the scan (when on a different network card with a
> different IP), and I get 0 ports open, basically no information except
> that it is indeed up. (and that it is a card registered to compaq).
>
> what's funny is this seems like it is obviously wrong, and something
> is up, but every time I start up in linux it works perfectly. Perhaps
> the linux box is managing to take over that IP with some kind of ARP
> magic, I'm not sure.
>
> knowing this (which I had kind of suspected), is the best solution to
> just do a static configuration with a known free IP (the one that is
> saved for my pc card NIC) ? or is there some way to force the server
> to give me a unique IP?

If you cannot find the device which causes the problems, the best bet
would probably be configuring the DHCP server not to hand out that
particular address (configuring your new machine with a static address
is a temporary solution at best, and likely to break at an inconvenient
time).

This, of course, depends on the DHCP server you use; if you use
OpenBSD's, dhcpd.conf(5) documents the 'range' option, which may
apparently be given multiple times. This would allow you to isolate the
IP in question. (The 'host' directive may or may not work, either, but
I'm not sure that's less ugly.) Do read the docs before configuring, as
I'm not particularly experienced with tricky DHCP setups.

Joachim