[X-Unix] Re: MAC address swap conundrum

SeaSoft Systems seasoft at west.net
Sun Apr 10 12:08:00 PDT 2005 

>From: Stroller <MacMonster at myrealbox.com>
>
>On Apr 9, 2005, at 7:43 pm, SeaSoft Systems wrote:
>
>>>  From: SeaSoft Systems <seasoft at west.net>
>>>
>>>  I have really no clue here. Could anyone with some network expertise
>>>  help me understand this situation or point me to a resource or more
>>>  appropriate forum? I have Googled my brains out but have not found
>>>  anything helpful.
>>   snip
>>  So very sorry...
>>
>>  I should have Googled *after* I found the system log entries. There is
>>  in fact quite a lot to be found under "mach_kernel: arp: "
>
>Since you've piqued my interest (and probably that of others, too) do
>you think you could let us know what has caused this, when you've
>finally got to the bottom of it?
>

Most certainly; it's a bit long and tortured, but for the terminally curious...

Turns out a year ago I set up a Brother USB printer that also had a 
network interface. During the printer network setup, I assigned it an 
unused IP on my LAN (192.168.167.21). After testing, I never used the 
IP number for printing (I only set up the IP print feature to access 
the printer via an NT box also on the network). Since I never used 
the IP print interface, I forgot I had assigned the IP number to the 
Brother. (DHCP, anyone? :)

I inadvertently set the *same* IP for a web serving iMac when I got 
my Linksys firewall/router a few months back. The conflict never 
created a problem, even when the printer was on. Because I was only 
using the USB connection to the printer, no IP-addressed printer 
traffic intended for the printer ever hit the network.

Why did the duplicate IP not cause other problems? I'm more than a 
little fuzzy on this; I am just not sure what the router was doing 
since whenever the Brother was powered on, there were two 
(192.168.167.21) IPs online. I have a couple guesses:

1. The router had the errant IP assigned to the iMac server MAC from 
its initial configuration and simply didn't send any of the server 
traffic to the printer. The printer, never seeing any IP traffic for 
itself, never broadcast its IP?

2. Perhaps both the Brother and iMac got the WAN-traffic? And the 
Brother, not seeing recognizable printing commands, simply ignored 
them silently?

Sorry I can't be more helpful here; I'm just way out of my league, 
technically...

The day of the "incident", however, I actually tried to print using 
the IP print setup on the OSX machine. It didn't work (timed out or 
something), and I just printed via USB as usual. It wasn't until days 
later that I noticed the error messages (quenched automatically by 
OkeyDokey on the iMac server) that triggered my investigation.

So, the OSX box evidently "re-assigned" the duplicated IP from the 
iMac server MAC to the printer MAC in an attempt to satisfy my 
IP-based print commands. I have no idea how this affected the 
router's handling of WAN I/O to the iMac server. It seems that the 
router kept sending the WAN/LAN packets to the right machine (iMac 
server) and that the only real conflict was on the iMac server which 
then saw the duplicate IP conflict and protested.

Note that whenever I have inadvertently replicated LAN IPs on my own, 
this has always caused the affected OS8.6 machine to crash; that 
didn't happen this time.

It was a *very* educational process.

One thing I learned that has altered my OSX behavior and may be of 
use to other neophytes: Keep a dedicated terminal window open that 
displays real-time additions to the system.log. This is really, 
really informative about what's happening on your machine. If you 
lack a hardware firewall, for example, it will display all the 
cracking attempts from Russia/China/India/etc. Combined with a 
WHOIS-type IP lookup, this is extremely fascinating. The command I 
used was

$ tail -f /var/log/system.log

The -f flag keeps tail adding log records to the bottom of the window 
as they show up. Hardware firewalls, of course, make this game much 
less educational :)

This "Tail Window" experiment made me take the OSX box out of the DMZ 
of my hardware firewall/router; just too much stuff going on from the 
Internet. Its also quite useful in following & understanding all the 
"OSX vulnerability" brouhaha currently in progress.


Whew,

Richard

More information about the X-Unix mailing list