Question

Strange MAC address in DHCP table????

Asked by: Shawn_H

I have a home network with 5 machines. I also have a DSL connection with 2 router/firewalls between my internal network and my ISP.  The Edge router is a ZOOM  3X series Modem/Router which gets its external IP from the ISP. The second Router is a DLink DI-624 Airplus X-treme wireless router. The Dlink gets its WAN port address dynamically assigned to it  by the ZOOM router/modem's internal DHCP server. All computers on the internal network get thier IP's dynamically assigned by the DLinks internal DHCP server. So I have 2 subnets with  private address ranges and the set up is as follows:


 Zoom WAN: 208.154.xxx.xxx | Zoom Lan: 192.168.5.1       Dlink WAN 192.168.5.2 | DLink Lan: 192.168.6.1
                                        _________                                                       ________  
                     ISP ----------|   zoom   |-------------------------------------------|  DLink   |-----  5 computers on 192.168.6.0
                                       |________|                                                      |_______|

                                   
After checking my DHCP client table in the DLINK I have noticed a MAC address that matches none of the MAC address on my internal computers nor does it match either of the routers MAC address Not the WAN or LAN ports. This is the only MAC address in this table that does not show a host name with it's entry. 2 of the machines on the Internal network are loptops that have 2 nics (one wireless and one ethernet). I have checked BOTH MACs on these, and neither match this strange address. This strange MAC is being allocated one of my internal IP's.

I Googled the following search criteria and came up with a few threads of people who had found this MAC in thier tables as well.

The term I searched was: "E9-EB-B3-A6-DB-3C + MAC Address" without the quotes. Yep, you guessed it, E9-EB-B3-A6-DB-3C  is the strange MAC address that is showing up in my DHCP client table. Oddly enough, guys on this thread from google said they were NOT using a wireless router, that being said, I am using 128 bit WEP encryption and am NOT broadcasting my SSID. The DLINK router allows me to filter MACS, but only From LAN to WAN, I want it filtered the other way around, "Denied from WAN to LAN"

Any answers to this mysterious MAC would be appreciated........Thanks

Any answers to where this is comming from would help greatly

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-07-25 at 20:56:09ID21070857
Tags

dhcp

,

table

Topics

Miscellaneous Networking

,

Appletalk

,

Domain Name Service (DNS)

Participating Experts
7
Points
500
Comments
25

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Wireless Authentication using Mac-Addresses, IAS and …
    Hi everyone, First I'll tell you how every thing is setup and then I'll tell you the problem. I have Cisco 1200 series AP and right now and my users authenticate to the IAS server using their mac-address. Right now I have to manually type in the wep key to get wep encrypt...
  2. Print servers and WEP
    I have a computer lab of 25 wireless laptops connecting through a Proxim AP-700. We use a mobile cart and decided to set a printer on it using a DLink DP-311U print server. Everything works great until I enable WEP. I cannot seem to get the print server to see the access p...
  3. WEP/WPA vs.  MAC address filtering.
    Router: Linksys WRT54GL Do I need to set any encryption (WPA or WEP) if I am using the MAC address filter? I'm allowing only my computer and one other to access the WAP. I am not super hung up on security, but I am withing sniffing distance of a Starbucks and that patio i...
  4. configure Dlink DSL Modem to log in to Bellsouth.net
    I have a client that uses a Netopia DSL Modem to connect to Bellsout (now ATT). The present modem will periodically drop out and I have to travel to site and try to get back into modem to re-login to bellsouth. Had nothing but frustration with Bellsouth tech support. ie lo...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: sujeetsaxenaPosted on 2004-07-25 at 21:32:56ID: 11634712

Hi !

 Please check if you have any printer or other perpheral connected directly on the network !

 

by: Shawn_HPosted on 2004-07-25 at 21:58:20ID: 11634772

The only printers on the network are hooked up through Printer ports directly on the internal machines and are shared.....There are no network printers with an IP or MAC address on the network

Shawn_H

 

by: sciwriterPosted on 2004-07-25 at 22:12:38ID: 11634804

If you are double DHCPing, you will get a ghost from the inter-DHCP change in C-address.  Only one router should DHCP, not two.  Set the wireless as transparent and put everything on the same class C.  Much more reliable.

 

by: Shawn_HPosted on 2004-07-25 at 22:35:38ID: 11634879

Okay, its 1:30 am now, Ill try that tomorrow night when I get home from work, but I didnt think it would matter if both were set up to DHCP as long as both were on different Class C networks, which they are, they Dlink is set up to only allocate to its internal network, not off of the WAN port. The reason I had it set up like that in the first place is a long story, but Ill try to give a shor version here:

I originally bought the Dlink before I got the DSL service, in anticpation of the DSL service I was waiting on. The Dlink does not have a built in Modem, its only Router/Switch/Access point. Well when I finally got the DSL sevice I found out that all our carrier supports in this area is PPPoA and not the more common PPPoE in the US. So then I had to track down a modem that supports PPPoA and found the Zoom router. so I tried hooking the cable from the internal zoom port, to one of the 4 switch ports on the DLINk and just using the Dlink as a switch/ Access Point. Well that didnt work, it was like the Dlink didnt want to work if its WAN port wasnt plugged into. So thats when I told the zoom to act as DHCP server, and told the WAN port on the Dlink router to retrieve its IP dynamically(fooling it into thinking its getting it from the ISP), and let the DLINK do its router thing to the and from the internal network (route to the zoom which routes to the ISP).

Also, if its getting a ghost MAC address from the other DHCP server (the zoom) where would it be comming from, that myterious MAC address doesnt match any MAC address on either one of the routers, of on any machine inside the DLINKs LAN port.

Thanks

Shawn_H

 

by: Shawn_HPosted on 2004-07-25 at 22:38:26ID: 11634885

Oh yeah, I shouldve mentined that the default class C subnet is being used on both networks with the private addresses 255.255.255.0 and I know that DHCP cant natively traverse routers and subnets without some kind of bridging software being used, if Im correct.

Shawn_H

 

by: sciwriterPosted on 2004-07-25 at 22:49:21ID: 11634922

Still don't see why you need the two class Cs.  Why not let the 192.168.5.x domain pass right through the Dlink and reflect into the systems, so they are getting their IPs from this Zoom DHCP, with DHCP off on the Dlink?  Why will this not work.  There is nothing wrong with having the Dlink think its WAN is coming from the zoom, but since the zoom is the ultimate gateway for the internet, the PCs should be able to see through the Dlink to that primary source.  Dual DHCPing generally gives problems, unless they are on 2 separate networks.  Yes you have 2 separate class Cs here, I see that, so it is technically feasible.  Maybe if there is no problem, leave it alone.  The ghost could be the virtual WAN that the Dlink is picking up as a reflection of the Zoom's translated wan.  Or another option, since the Dlink is wireless, you might have a neighbour accidentally sharing your internet connection without realized he/she is.  Those wirelesses love to give access to anyone and everyone in the neighbourhood, you know.

 

by: Shawn_HPosted on 2004-07-25 at 23:14:01ID: 11634998

LOL sciwriter, yes those wirelesses do love to hand it out, but I thought this shoulve been taken care of by using a 128 bit Hex key WEP and by NOT broadcasting my SSID

As for letting the Zoom DHCP pass through the Dlink, I would have to disable routing on the DLINK, would'nt I? I tried doing that, but couldnt figure out a way. As I mentioned, I unplugged from the wan port, and plugged the zoom into one of the 4 switch ports, then plugged a system into a switch port on the DLink. I couldnt get an address from the Zoom. Keep in mind, the zoom only has 1 ethernet port on it for the internal LAN, so I thought that by plugging it into a LAN port on the DLINK it would send DHCP through to the other machines. BUT, It just seemed like the DLINK did not want to give up its routing functionality, and is dead set on routing From LAN ports to the WAN Ports. DLink has an emulator for this device on their web site if you would like to take a look at configuaration options for it.

http://support.dlink.com/techtool/di624_revc/emulator/h_wizard.html

Thanks

Shawn_H

 

by: miloudiPosted on 2004-07-26 at 00:37:42ID: 11635302


Hi,

I think that you even if you don't see it coming the two DHCPs are needed as the experts said. They have the tendency to confuse packets and PCS in general, to he point to generating a mysterious MAC? i doubt it....
If i were you i would disconnect my DLINK wireless, clear the arp cache and display your MAC table...I doubt you will see it.
Second step connect the DLINK wireless ALONE, if you still see it .
Reset your wireless to factory default, enable 128 encryption, Register teh MAC add of the laptops and see what happens...
Other thing, I found some saying that it is virtual adapter MAC, do u have an kind of device like a 1394 device.....
Hope this helps.
 

 

by: sciwriterPosted on 2004-07-26 at 12:09:43ID: 11640510

Well Shawn, the normal way would be to go into the Dlink setup first, and turn off DHCP on it.  Reboot it, plug the single LAN of the Zoom into the LAN (not WAN) of the Dlink, and then the other computers into the other LAN ports.  

The Dlink is just acting now as a hub repeater -- the WAN function is not active, because the Zoom is doing the translation from WAN to LAN, as well as DHCP.  That is how you make the Dlink transparent.

I'm not trying to frig your setup here, I think you did well to get the Zoom working, and the Dlink as a sort of an IP bridge, and if you are happy with that, stick with it !!!

 

by: Shawn_HPosted on 2004-07-26 at 15:17:34ID: 11642135

sciwriter my friend, I know that your not knocking my setup...dont worry, I dont take it like that either. Your help and your suggestens are greatly appreciated.

Its just that the setup that you are suggesting is the one that I originally tried (as mentioned in threads above), turning off DLink DHCP, unplugging from its Wan Port, and plugging all into the switch ports, and restarting the Dlink Router. However, now you have me doubting whether or not I missed a step, so later tonight, when all go to bed, Im going to try it again We live on the net here :-) Thats the way I wanted it setup origianally, I dont like having the extra hop in there. I let you know later this evening how it turns out.

I do have a little more info for you though about the Mysterious MAC, let me know what you think about this. Enter this search term into Google:

E9-EB-B3-A6-DB-3C + MAC Address

and youll be linked to a message board on dslreports.com

These guys experienced the exact same MAC address in there DHCP table, and most did not even have wireless on thier network. Well I just remembered earlier that about 3 weeks ago I had dslreports.com test my dsl line, transfer rates etc... I also had them do a port scan to tell me what was opened.   hhhhhhhhmmmmm starting to sound mighty suspicous, Im just guessing here, but woudlnt doubt if these same guys on this message board from dslreports had the same things done from dslreports.  But what I dont understand is how they come all the way in to the Dlink router because thats where the MAC is. Anyway, Im going to give the Network another shot latter tonight, trying to put the DLink in the role of switch / access point only. I'll let you know how it goes.

Once again, thanks for your help

Shawn

 

by: sciwriterPosted on 2004-07-26 at 17:48:47ID: 11642792

Actually, Shawn, the first thing I thought of was a hack attack -- but if you have scanned all your systems for worms, and there is nothing, it is unlikely that the MAC address -- detective -- is in fact a worm.  If it is a backdoor to DSL reports, they are no better than a worm, right?  SO because I couldn't come up with an answer, I didn't comment on it.

However, when you are in your routers tonight, go through EVERY tab they have, just to make sure there is no reflector setting, or a debug setting.  If you can find nothing to create that extra MAC, it is either an outside accidental connection, an artifact of the Dlink bridging the two class C domains, or else perhaps the equivalent of a looback adapter.  Also, it could be created by MS networking, perhaps an unusual setting in the TCP/IP or something like that?

The key to making the DLink transparent is to make sure you totally reboot everything -- even both routers, in sequence, and only later start the computers.  Windows has an idiotic way of being slow to pick up on new settings, and far too slow to forget the old outdated ones.  ALL systems need to be off, otherwise, they will hang on to ghosts.  So as soon as the routers reboot, shut off all systems.  then reboot them.  You might have to go through the DLink fairly carefully to make sure it will see the Zoom as the WAN gateway, and turn DHCP off, but it SHOULD work.

Good luck

 

by: Shawn_HPosted on 2004-07-26 at 20:06:17ID: 11643199

OK NOW ITS GETTING WIERD! The MAC address is gone from the table, BUT I couldnt shutdown or restart my machine,Pulled up Nortons and my Email Scan and Auto protect has been turned off and I can not turn them back on. I ran Live update and than ran a full sys scan but Nortons returned nothing. Ive been going through my processes, but cant seem to find anything out of the ordinary. Thinks I's been hacked and had a worm laid upon me! Any suggestions?

point value has just been increased......The saga continues

Shawn

 

by: sciwriterPosted on 2004-07-26 at 21:15:17ID: 11643371

go to this --www.trendmicro.com -- download the VXD and run their on-line virus scanner.  

You need to tell me what OS you are running, because my first suspicion of a worm seems most likely, but need to know the OS and the File System, FAT32 or NTFS -- if NTFS, it will be a lot harder to fix, of course.

 

by: Shawn_HPosted on 2004-07-26 at 22:20:09ID: 11643532

Ah yes, my good friend sciwriter, I am running WinXP Pro with NTFS, I have several partitions on the disk. 4 to be exact. I am almost postive it is something backdoor, becsause when rebooting and disconnecting from the network I did not have the problem. I'll run the scanner now.

Shawn

 

by: Shawn_HPosted on 2004-07-26 at 22:21:00ID: 11643538

PS.... I had to do a hard shut down to get the machine down

 

by: sciwriterPosted on 2004-07-26 at 22:48:35ID: 11643619

Also download and install Ad-Aware 6.0 -- and do the latest signature update from the web, before you run it.  As a free program, this is one of the BEST additions one can ever put on one's computer.  It is marvellous for removing spyware, and complements any antivirus software perfectly --

http://www.lavasoftusa.com/support/download/

For a full-time scanner, I recommend McAfee, it has kept me safe.  If you need to clean the boot sector of viruses, boot from the XP CD rom, and as soon as the first screen comes up -- do recovery console.

At the recovery console type --

FIXMBR C:
FIXBOOT C:

That will purge the boot sector of any boot sector viruses, which are always disguised from the virus scanners.

 

by: Shawn_HPosted on 2004-07-26 at 23:14:04ID: 11643708

I have ad-aware, spybot and cwshredder, and run them often. I ran the online scan, but nothing came up Heading of to bed now, have to work tomorrow, but will keep you posted...I appreciate the help.

Ill run fixboot tomorrow

 

by: Shawn_HPosted on 2004-07-27 at 06:36:25ID: 11646280

Well sciwriter, I tried re-doing the routers last night and ran into the same problem that I had during the initial set up. I disabled the DHCP server on the Dlink, and unplugged the WAN port and tried using the DLink as switch and AP only, I then shut everthing down, plugged the Zoom a Dlink Lan port, and brought everything back up. The LAN machines could not get an assigned address from the zoom. However, I was on one Class C subnet at this point and set my static IP to this subnet and could ping, surf etc... to the outside world :-) But, becuase I need my DHCP, (laptop goes to work everyday) I went ahead and changed it back.  ITs like the Dlink wont let the DHCP pass through, I had its firewall disabled too.

Anyway....

I also found a backweb.exe running in my process list last night.  I think its from that stinken Logitech mouse and Keyboard I bought. You think that would be malicious enough to have Norton's Email and auto protect disabled and non functional. regarless, I want rid of it, even if it means removing that software.  Also, when I rebooted that machine and came back up on the network, everything seemed to be working fine....for now.

Shawn

 

by: sciwriterPosted on 2004-07-27 at 10:55:31ID: 11649040

Strange there is no pass through -- did you try giving the Dlink a dynamic IP -- that would lmost certainly fix the pass through issue.  Some need static, some dynamic.  Well at least you know your system is clean now, and yes, get rid of the special mouse drivers -- if they can't work with an XP driver, try something else.  As for leaving the laptop as dynamic IP, you should always do this -- I think maybe the Dlink needed one too, but don't go redoing it again, just for that.  It could be a bug in the Dlink firmware -- perhaps a re-flash would fix?  I had to flash my Dlink, because it was always crapping out on the WAN connection.  If you flash it's BIOS, make sure you do it with a HARD cable !!!

Hope everything helped.  Have to go now, get back to work, am leaving EE.  Best of luck.

 

by: Shawn_HPosted on 2004-07-27 at 20:18:25ID: 11653067

Thanks for the help sciwriter, everything seems to be working, I appreciate the your time and help

Shawn

 

by: scott110Posted on 2005-07-29 at 07:33:50ID: 14554958

Shawn, I dunno if you're still monitoring this thread or not...but I'm having the exact same problem. Question for you: do you have a box running Windows Server 2003 on your network, and if so, is it acting as a Domain Controller or part of a domain?? Further if you don't have a domain, then do you have DNS service installed on there?? I have a DLink DI-524 router, and am getting the same MAC address....it only started appearing after I installed this Win2003 box...

 

by: rattymonPosted on 2005-10-14 at 07:13:03ID: 15085497

I have the same thing - odd mac addresses with hostname of detective, as soon as I installed a Win 2003 server

 

by: Shawn_HPosted on 2005-10-14 at 08:03:28ID: 15086036

Actually scott110, I did have a verison of Window server 2003 setup as a domain controller at the time....Interesting. Sorry I didnt catch your post when you listed it. I just saw it now with rattymon's post.

Thanks

 

by: Johnnie7Posted on 2005-10-19 at 21:48:10ID: 15121766

I had the same 'detective' DHCP client show up as well, immediately after installing MS 2003 Small Business Server on my home network.  I found it listed with the DHCP clients in my IPCop DHCP log and Google led me here.  For the record I had 3 MACs for detective, the E9-EB-B3-A6-DB-3C one and also 4d:c8:43:bb:8b:a6 and 32:f6:9e:7d:49:dc.  Interesting indeed..

 

by: flyguybobPosted on 2008-01-07 at 00:08:11ID: 20597598

Based on the feedback this is a feature of CYS (Configure Your Server wizard); this wizard pops up when someone logs onto a server and hasn't turned the CYS wizard off. Its
a check to see if WS2003 can find a DHCP server and if the server is itself running a
particular service, then that check isnt made. So this looks like a by design
behavior.  In addition, this may be part of the slow link detective service.  Either way, it's part of Windows Server 2003.

Cheers,

Bob

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...