How to find MAC address of 'invisible' hardware?

[barney]

Windows - Win7 RC - is reporting an IP conflict, i.e., , two network elements with the same IP address.  When I check the Event viewer, the MAC address of the conflicting element is reported.  But I can't find anything with that address.

Anyone know of a utility that can find the inactive element?  Or, perhaps, where I'd look - registry? - to isolate the element, change its IP address?

Y'know ... once upon a time, I thought I was pretty good at this stuff <sigh /> ....

[4wd]

If you have a DHCP server on your network, (router, etc), change your hardware to automatically get an IP and then use SoftPerfect's NetScan to scan the network and set it to show the MAC associated with IP's.

If you don't have a DHCP server in the network, start unplugging one thing at a time until the conflict disappears, (or perform a binary chop search^w which would be faster - unplug half of the remaining hardware at a time until it goes).  Of course, the easiest place to do this is at the router/hub where they all come together.   In fact this would be faster than doing the auto-IP thing.

You haven't mentioned exactly how big this network is, whether it's got a router (in which case you can usually go into it's config pages and see what IP is associated with which MAC), etc, etc.

[Shades]

Go to a dos box (Start - Run - 'cmd'), in that box type the following: 'ipconfig /all'
This command will show you an extensive overview of the configuration from every NIC in your local PC. Check if the culprit MAC address is there. Repeat this for every PC in the network.

This is exactly the reason why DHCP servers were invented.

Ah, 4wd was faster.

[4wd]

Ah, 4wd was faster.

-Shades (June 12, 2009, 07:50 PM)

Only because where I live I'm quite a few hours ahead of you

Doesn't work with f0dder usually because he lives in a different plane of existence where there is no time.

[barney]

Have a LinkSys WRT350N router, but it doesn't tell me anything that I can't already see.

Basic connections are as follows:

• LinkSys WUSB300 wireless @ 192.168.1.100 - primary machine
• Intel Pro/100 NIC @ 192.168.1.105 - primary machine
• generic 10 Mb NIC @ 192.168.1.106 - backup machine

There are other wireless units connected via DHCP, up to five at any give time, but none currently connected.  The error pops up with or without other wireless units connected.

There is also an NAS drive at IP 192.168.1.10.

The error is always on IP 192.168.1.100.  However, when I run LanGuard, it fails to show that IP address as a system.  Ran the SoftPerfect scanner, and it, too, fails to show the IP address as a system.

However, the SoftPerfect app did show that IP as having the conflicting MAC address.  But, ipconfig in a DOS box - pardon, command prompt - shows the IP address as 192.168.1.100(Duplicate), but with a totally different MAC address than the network scanners show.

Both scanners recognize the IP as active, but neither reports any details from a normal scan.  Had to do a right-click on the IP in SoftPerfect to get it to tell me the MAC address.

Dont have this problem with WinXP, nor with last three flavours of Ubuntu (as well as a couple of other distros), just with Win7.

If I disable the NIC, I lose the NAS drive (don't know why), so that's not a viable option.  I simply cannot find the cause of the Win7 error message.  It doesn't seem to be causing any problems that I can recognize:  I just don't like errant error messages.

The problem seems to be that Win7 sees a MAC that simply does not physically exist.

[4wd]

The first thing I would do is disable the router WiFi during all testing since that will eliminate any outside possibilities and immediately prove it into the WiFi or cable side.

Is the Win7 PC connected via WiFi or cable?  If WiFi, connect via cable to test.

And since you only listed four units that are static IP, change them all to DHCP and see if the problem still exists.

If it's gone, then change half of them back to static, see if still happens and so on, until they're all back on static.

Had to do a right-click on the IP in SoftPerfect to get it to tell me the MAC address.

Set Options->Program Options->Additional->Resolve MAC address, IIRC, to have it show up normally during a scan.

Does a PC have a multiple NIC that's been assigned an IP somehow?

I still recommend the easiest way to find the problem is to disable WiFi and unplug cables until the problem goes.

[Shades]

Yep, I'm totally in agreement with 4wd. Elimination is the most sure way of finding the culprit.

[f0dder]

Doesn't work with f0dder usually because he lives in a different plane of existence where there is no time.

-4wd (June 12, 2009, 07:58 PM)

Hah

<nitpick>PS: there's no such thing as a dos box on NT-based Windows. Call it a shell, command prompt, console, whatever - but please not a dos box.</nitpick>

[Stoic Joker]

Not all DHCP servers (like the ones included in most routers) are that discriminating about skiping statically assigned IP addresses (conflict detection). Another way to work this is to run arp -a to see what Win7 is seeing, and then use one of the many MAC address lookup sites to see who made the problem device (First 3 octets of MAC address is a vendor ID) which will narrow the search faster.

On large or busy networks this would be easier then randomly unplugging stuff (which tends to form a crowd of spastic end users).

You may have a device with 2 IPs from an old/test config that is playing peek-a-boo ... I've done that too myself once or twice.

[barney]

OK,
Let me try this again.  This is not a hardware issue, per se.  I'm aware of the methodologies broached and had tried most of them prior to my plea for help. 

This is a multi-boot system.  Windows 7 RC is reporting an IP conflict.  The event viewer purportedly shows the MAC address of the other device with the duplicated IP address.  That device does not physically exist in this building, much less in the network.  (For what it's worth, the MAC address resolves to High Tech Computer Corp, out of Taiwan.)  An ARP scan is useless.  An IPconfig scan properly identifies present devices.  Software scans report the errant MAC address.  This happens in Windows 7 RC.  It does not happen in any flavour of Linux on this system (Ubuntu, a few others).  It does not happen in WinXP MC Edition, SP3.

What I would like to do is to locate the Windows 7 source for this non-existent device and either edit or delete it so that the error stops popping up an alert box.

To my mind, at this stage there are only two possibilities remaining:  a false entry somewhere in Windows, or an intrusion into the wireless system.  I have elements in place to alert me of attempted intrusions.  I do receive such alerts.  I suppose it's possible that some hotshot pirate could still get into the wireless system unbeknownst to me, but the likelihood of said hotshot using the same IP address I'm using and only attaching to the network when I'm using Win7 stretches coincidence beyond my belief limits.

That leaves a bogus record, which I would dearly like to find, somewhere in Win7.

[Shades]

Since the introduction of Windows Vista the networking software was completely rewritten by Microsoft (in previous versions of Windows they were 'borrowing' that kind of code from BSD). Therefore this code will be included in Win7 as well.

Having first hand experience with setting up a wireless network using Vista (without SP1) I can tell you that I was (very) badly impressed with the stability of the wireless connection, while my own laptop (XP) was running fine in the same network.

To me it appears that the new network software is not only more extensive but also more 'sensitive' than the old software, although I hear that Win7 has improved in that field.

Now I don't have a clue how your router has been setup, but when setting up my ex-girlfriend network I enabled the WPA, limited the amount of DHCP users able to connect to this router to the absolute minimum (in her case 1) and enabled the MAC address filtering.

Mac filtering is not that useful because it takes hardly any effort to find software that will change this for you. Come to think of it, maybe that kind of software is able to help you getting rid of it (in the case of a false entry) or at least point you in the right direction. Here are some links SMAC, MACmakeup, Technitium MAC Address Changer or see here how to do it manually.

[Stoic Joker]

Not to be a pest but this is troubling me:
High Tech Computer Corp makes Smart Phone/PDA/mobile computer devices.
Win7 is more agressive (then any prior version of Windows) about connecting to ^^that ^^ type of device.
That type of device is not going to play well with typical network scanners that test for protocols it doesn't use.
Some folks setup their widgets (badly) to romp about & connect to anything it can find.

To me, the above seems to fit your issue.

[barney]

Shades:  Thanks for the idea on the MAC filtering software ... hadn't thought to use that to kinda reverse engineer the problem.  I don't do any MAC filtering on the router ... never seen it to be useful as a deterrent - if I can get around it, so can many, many others.

Stoic Joker:  Yeah, that's been kinda bothering me, too.  Using a [TMobile]G1 with the Android OS.  I set it specifically to connect to the router's SSID and - I think! - alert me if other WiFi spots exist.  It is the most likely candidate to have created this situation.  However, on the chance that the G1 created this contretemps, I disabled the WiFi connectivity, then turned the phone off for a day ... still got the error prompt with the phone off.  That leads me to believe, still, that there's a record somewhere in Win7 that gets scanned every so often.  Unfortunately, the periodicity of the scan is not regular.

I'm partially basing that belief on a problem XP had with the router ... at one point, XP had three different records for the router - it would suddenly re-recognize it and give it a new designation/record.  However, that may have been due to the Comodo firewall, not the OS.  Didn't have time to research it, and it did not seem to cause any problems.  Still on my to-do list when I get back to XP <sigh />.  There are times when I really miss MS DOS.

[Stoic Joker]

I don't recall seeing anything about the expanded environment...but can "we" rule out the neighbors equipment?

Also have you tried changing the Win7 machine's 192.168.1.100 to (say...) 192.168.1.99 to confirm or disprove that the Win7 machine is indeed conflicting with itself. I'm working on the assumption that if it truly is a LM issue then any IP assigned to it should automatically conflict when it creates its "shadow".

[barney]

I alluded to the wireless stuff briefly.  I'm as protected as I can be, considering the equipment.  WEP activated with a strong password, and I'm alerted when anyone tries to access the wireless area.  IP access is limited, if I can believe the router, to  three full time connections and up to three - now four - ephemeral connections.  That will grow, but I'm keeping it as tight as I can.

After digging around on the G1 for a while - just upgraded the software - I found that the phone is, indeed, the MAC address source.  Information not on the Web site, not in the book.  It's in the phone, but an area I don't remember seeing before ... think it showed up after the update.

The problem now becomes that of identifying a record and, if possible, changing it.  Well, same problem as I started.  Comforting to know there's a source ... I remember ghost machines on a DEC LAN back with Win98/98SE that drove us crazy.

Anyway, I'm still hunting for that record somewhere in Win7.  Surely I'll find it sooner or later <sigh />.

[Stoic Joker]

Excellent! Now we have an enemy with a face! So... what else can we accuse the phone of...

(But seriously) Win7 very well may not have an erroneous record, it may just be more apt to whine about the issue (not entirely a bad thing). Many DHCP enabled devices will have a fall-back configuration that they will use if the DHCP server doesn't answer fast enough. It could be an APIPA (169.254.x.x) address, manufacturer selected, or user configurable. HP's Jet direct print servers are one example, they used to all default to 192.0.0.192 (...'cause some engineer thought that that would be handy).

If the phone is having trouble getting (through security) an IP from the routers DHCP, it may be assigning itself a fall-back address of 192.168.1.100.

[barney]

If that's the case, I'll adapt.  Remember, though, that with the phone disconnected and turned off, I was still getting the alert.  Oh, fwiw, that also included a reboot of the box, just to try to clear residuals.  There's still a rodent in the baseboards somewhere.

[Stoic Joker]

lol ... good point.

Try assigning the machine an address of 192.168.1.99 (assuming its available) just to see if it will conflict with itself (on that address too). if it does then we know it's a freaky LM thing. if it doesn't then do an arp -a and see if "we" can catch another device sporting that address also.

Running nbtstat -A 192.168.1.100 may get it (the rodent) to reveal a bit more about itself also.

[barney]

Sorry, but I've had to give up the rodent hunt ... it's taking more time than I can afford.

Last thing I did was a so-called global search on any file containing the offen[ding/sive] MAC address.  So-called because I don't know what files Win7 may be hiding/protecting.

When I come back to this, I'll repeat that search from Linux, prolly a Live CD.  Right now, I just cannot afford the time - I've yet to find a really fast search utility for Linux.

If I do finally reach a resolution, I'll post it back here ... kinda like to keep loose ends tied, when possible.

'Preciate all the help, information & suggestions you folk have given ... maybe some day I can repay.

[Shades]

When I come back to this, I'll repeat that search from Linux, prolly a Live CD.  Right now, I just cannot afford the time - I've yet to find a really fast search utility for Linux.

You could download: portable ubuntu. After unpacking and executing 1 .bat file you can use ubuntu 8.04 next to Windows at the same time. It was Ubuntu 8.04 when I downloaded it, but you can upgrade if you want. Maybe the author already has done this upgrade already.

The only thing I had to edit were two files because I wanted to mount all my partitions at boot time. If you don't have more than one partition or mount them only when needed, you don't need to change anything. The C:\ partition is recognized by default (and will very likely hold the address you seek).

[barney]

Unfortunately, portabuntu does not play well with Win7 ... tends to reboot the system.  I use it quite a bit when in WinXP ... some things just work better ... but have not, to date, been able to make it work with Win7.  Don't know if it's Ubuntu, the portability port, or some of the stuff that's auto-loading ... just haven't had time to do a serious investigation.

However, even if it did run, Windows would still be running - and protecting me by hiding files it doesn't think I should see/access, i.e., mess with.  I like protection as much as the next guy, but I don't want a bullet-proof - ?!? - vest that automatically wraps around me as soon as I get out of bed and doesn't come off until I'm asleep, ya know?

Anyway, that's why I mentioned using a Live CD ... that way nothing - or so I hope - on the partition in question will be active <chortle />. 

Actually, XP is on the C: partition, several different flavours of Linux on the next few partitions, several card readers on the next few, and Win7 is on the O: partition, with L:, M:, and N: reserved for storage & boot images, along with a 2G USB as the P: drive for ReadyBoost(?) partition.

To my way of thinking, it's highly unlikely that Windows is smart enough to completely hide files from an unknown OS on a non-typical disk segment.  Speaking of which, it could be interesting to see what's on that thumb drive <chuckle />.

Oh, well, that's all for the future ... right now I have to resolve a PHP issue - different thread.