Prev: Broadcom 802.11b/g
Next: unable to connect to T.S. outside subnet via RDP
From: Anonymous on 24 Jul 2006 08:23
Dear All,

I am running slackware 10.0 on a PC which is part of an Ethernet Local
Area Network.
When I do the following

# ifconfig eth0 down

the lights on the ethernet switch port to which the computer is
connected still keep blinking.
Which means there is still traffic flowing to and from the computer!
This should not be the
case as the /dev/eth0 has only one IP assigned to it.

Is there such a possibility that the interface card is assigned two IP
addresses, the
malicious one being not shown up in the ifconfig output and the
interface still keeps running
despite I turned it off?

If so, then how do I find and confirm this happening?

This, in fact, happened to a windows machine that I had. I 'disabled'
the internet connection
and still the machine responded ping to an IP address that did not show
up anywhere in
the output of ipconfig. The switch lights also kept blinking. This was
later discovered to be set-up on that particular machine in the
registry settings.

Thanks in advance for anyone helping me into this!

A.

From: Dave Uhring on 24 Jul 2006 09:12
On Mon, 24 Jul 2006 05:23:51 -0700, Anonymous wrote:

> Is there such a possibility that the interface card is assigned two IP
> addresses, the
> malicious one being not shown up in the ifconfig output and the
> interface still keeps running
> despite I turned it off?
>
> If so, then how do I find and confirm this happening?

$ /sbin/ifconfig -a

From: Anonymous on 24 Jul 2006 10:00

Dave Uhring wrote:
> On Mon, 24 Jul 2006 05:23:51 -0700, Anonymous wrote:
>
> > Is there such a possibility that the interface card is assigned two IP
> > addresses, the
> > malicious one being not shown up in the ifconfig output and the
> > interface still keeps running
> > despite I turned it off?
> >
> > If so, then how do I find and confirm this happening?
>
> $ /sbin/ifconfig -a

I did this and it still shows the same output as /sbin/ifconfig. No
further details!
Is there any other tool that directly queries the NIC without going
through OS calls.
First three octets of the Ethernet address are: 00:0C:F1 -- which
ethereal shows to be Intel. So any vendor made tool or any other thing
that I can probably use?

Thanks in advance for any help!

A.

From: Allen Kistler on 24 Jul 2006 10:08
Anonymous wrote:
> Dear All,
>
> I am running slackware 10.0 on a PC which is part of an Ethernet Local
> Area Network.
> When I do the following
>
> # ifconfig eth0 down
>
> the lights on the ethernet switch port to which the computer is
> connected still keep blinking.
> Which means there is still traffic flowing to and from the computer!
>
> [snip]

Which means the NIC is still electrically active (because it still has
power), so the switch forwards it broadcasts, arp requests, and anything
else it can't filter based on MAC address. The only way to stop that is
to power down the computer or unplug the network cable. If your
computer has wake-on-lan, even powering down won't stop the traffic.

Nothing bad is happening.
From: David Efflandt on 24 Jul 2006 11:35
On 24 Jul 2006 05:23:51 -0700, Anonymous <call_ret(a)yahoo.com> wrote:
> Dear All,
>
> I am running slackware 10.0 on a PC which is part of an Ethernet Local
> Area Network.
> When I do the following
>
> # ifconfig eth0 down
>
> the lights on the ethernet switch port to which the computer is
> connected still keep blinking.
> Which means there is still traffic flowing to and from the computer!
> This should not be the
> case as the /dev/eth0 has only one IP assigned to it.
>
> Is there such a possibility that the interface card is assigned two IP
> addresses, the
> malicious one being not shown up in the ifconfig output and the
> interface still keeps running
> despite I turned it off?

A couple of possibilities are that the nic is still connected, therefore,
it may autonegotiate speed with a switch, or would see traffic on a hub.

It may also still receive arp inqueries or may be in the arp cache of
another machine. Linux typically answers arp requests for any IP on it,
even from a different interface (even though a firewall may prevent
actually connecting to such an IP).

It is actually possible to connect to some devices by manually setting an
arp entry on another machine. For example routers and other devices can
often be initially configured by manually assigning them an IP in your
local arp, and using that IP to access their web or telnet config. That
often helps if you do not have DHCP, but need to configure a device
without Windows software.

So the only sure way to stop traffic on a nic is to unplug it.
 |  Next  |  Last
Pages: 1 2 3
Prev: Broadcom 802.11b/g
Next: unable to connect to T.S. outside subnet via RDP