Network throws up MAC spoofing warning on one PC - How can I trace the root cause and fix the problem.

Posted on 2006-07-20
Medium Priority
Last Modified: 2013-11-16

I have been asked to find and fix (or dismiss) the cause of "MAC spoofing detected" errors appearing on one PC on the Network.
The network has approx. 50 devices.  The PC runs Bullguard Internet Security and the security log shows this problem as an ARP reply with no preceding Request.  The event occurs approx every 4 minutes.  I used nbtscan to look at net devices and using this, the Security log, and arp -a have discovered the following.
The Sender of the ARP Reply is always pruporting to be is supposed to be the file server on the Network
Approx half the messages have 00-80-c8-b9-f1-c9 as the Sender MAC, the other half are from 00-80-c8-b9-f1-cc (NOTE: only last digit differs !!)
My host PC is, and naturally the ARP table changes the MAC associated with each time this message is received
nbtscan (Netbios tracer) links the Server ( to the first MAC address.

My question is this - Does anyone know the source of the problem ?  Does it represent a weakness in the network ? or a feature of the network to which Bullguard is over-reacting ?  I don't know enough about networking to answer this myself.

Many thanks,   Brian.
Question by:brian_071computing
  • 3
  • 3
LVL 25

Expert Comment

ID: 17151341
do you have a managed switch? basically do you have a way to determine what machine the mac belongs to.  Both macs belong to Dlink nics.

i know if you have everything going thru a cisco switch you can do a
sh mac-address-table
and see which mac belongs to which port and can atleast help in identifying the problem host

sounds like its something that needs to be looked into though.  could be a compromised host or someone doing something their not suppose to be doing.  this type of attack allows the attacker to redirect network traffic thru their machine "seeing" everything that is going on.  They can then forward that traffic to the correct mac so the orig client doesn't know what is happening.

Author Comment

ID: 17152739
Hi Cyclops,

I don't work at the place so will have to arrange another visit.  I know they are not Cisco switches, and doubt they are managed ones.  I know about man-in-the-middle attacks but what leads me to believe that this is something different is the fact the the 2 MACs coming from differ by only 1 character  blah-blah-blah-CC and blah-blah-blah-C9 ?
Next time I visit I will try to get a password for the Server and use "getmac" to confirm its MAC....
LVL 25

Accepted Solution

Cyclops3590 earned 1500 total points
ID: 17153277
not really all that means is that the nic were manufacturered in the same run.  But you are looking for a Dlink. Its not pretty, but if there aren't many people you could just go to each computer to see if you could find the computer with the Dlink that has that mac address

while the two macs being relatively close in number might (and I stress might) mean something, I'm still putting my money on the fact that these nics were just in the same run and bought at the same time.  I have a few linksys nic with macs that are in sequence (4 of them).  I bought them all at the same time and was quite impressed that this happened to be honest.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!


Author Comment

ID: 17171318
Managed to get to the site today.  Used WireShark at and at the File Server  The ARP stuff is all fine at the Server but is still causing the alerts at -  Using a multi-ping tool the device with the offending MAC is not showing up in any ARP table - so will have to visit each PC on network in turn at some stage and see can it be found.  Maybe its malware running that is generating false IP stuff and false MAC identitys just to try to annoy the user of ?  Unfortunately the two 25 port switches are unmanaged, dumb devices.  Well - I'm off for two weeks Holidays in St. Louis, South IL and Memphis, TN.  Will respond on my return,  Thanks, Brian.
LVL 25

Expert Comment

ID: 17174662
it probably wouldn't show in any arp table since it'd have to show under a wrong IP.  I take it that it didn't show under the firewalls arp table either?

Author Comment

ID: 17176156

Hi Cyclops - can't login to the Zyxel modem to check - may get password on my return and look.

Best REgards,  Brian.

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question