Two IP addresses persistently swap MAC addresses all day
-
Searching through my PFSense system logs today I noticed this very strange activity. Two of my static IP addresses show activity all through out the day where they are constantly swapping MAC addresses. These are both security cameras on my home network. One of them is hard wired, and the other is connected over WiFi. They are both on the same VLAN.
Is this type of behavior normal? If not, what might cause such consistent MAC address swapping activity?
-
@deboyd09 possible you got traffic flow changing and going through say a AP that uses its own mac - one of those is Shenzhen Gwelltimes Technology Co.,Ltd, and the other one is RAlink
But no its not normal..
-
Yeah could be a 'wifi extender' or could really be an IP conflict if those camaeras are using static addressing.
-
@deboyd09 thanks for the feedback! The 192.168.50.40 security camera is indeed flowing through an AP in my garage. But that AP's MAC is e4:c3:2a:73:71:66. It seems that these two devices (192.168.50.40 and 192.168.50.5) are simply swapping the same two MACs (4c:b0:08:2a:d4:36 and 00:0c:43:1a:98:75) back and forth endlessly. I'm not noticing any performance issues with my network, but this is just odd and I'm always skeptical about cheap security cameras from overseas. Is this type of behavior at all suspicious from a network security angle?
-
@stephenw10 What kind of IP conflict? I've checked that those two IP's and MACs are only assigned to those two devices.
-
Hmm, try running a packet capture on that VLAN for ARP traffic and see what's actually happening there. Something odd is happening and probably shouldn't be. It's far more likely to be misconfiguration than something nefarious though.
-
@stephenw10 I ran the packet trace. Here is what I found:
"11:12:50.906858 4c:b0:08:2a:d4:36 (oui Unknown) > a0:36:9f:0d:29:ea (oui Unknown), ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.50.1 tell 192.168.50.5, length 46"
4c:b0:08:2a:d4:36 is one of the two MACs swapping places. It is talking to a0:36:9f:0d:29:ea which is not in my DHCP lease list and shows up as an Intel device.
-
Is 192.168.50.5 the correct IP for 4c:b0:08:2a:d4:36?
You might need to capture for longer to what's triggering the movement log.
That Intel MAC is odd though, I expect to see that broadcast. Can you find that device? Is it some rogue router on your network?
