Why does “arp -a” show IP address 169.254.192.123
on my 192.168.2.0 home network?
I recall seeing this IP address somewhere, but don’t remember where.
14 thoughts on - OT Strange IP Address On Home Network
It’s a Zero Config IP address. Most likely a host with zero config enabled, pretty much all Windows by default, was unable to get an IP
from DHCP.
Sounds like you have a host with a NIC that’s configured for DHCP but either can’t communicate with the DHCP server, or there are no free IPs for the DHCP server to give it.
—
Mark Haney ::: Senior Systems Engineer
*VIF* International Education P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office
Thanks for your response. I should have said I’m running CentOS-7.1 on my home server. Also the actual “arp -a” entry on the server is
(169.254.192.123) at 30:10:b3:2e:cb:ff
I see that 30:10:b3 is assigned to Lite-On (or Liteon)
which is a Taiwan company, who sell network cards among other things. And I find when I google to “liteon wifi network”
that there are many queries (and complaints) about mysterious links involving liteon devices.
So I guess the strange IP address probably comes from some Lite-On device somewhere in my house – maybe on the server itself, an HP MicroServer. There are so many possible electronic culprits today.
My HP Microserver N40L (the original version), the NIC is Broadcom,
I have the same Broadcom controller in my MicroServer, but there is a second Intel 82574L ethernet controller in the machine, which could conceivably be the culprit.
What I don’t really understand is why the dhcpd server on my CentOS machine does not give this device a proper address.
(There are lots of spare 192.168.2.* slots.)
As far as I can see from iptraf-ng, no packets are currently coming or going from this 169.254.* address, which I see from google is a “link-local” address.
You should be able to use nmap to scan the device.
Johnny Hughes wrote:
Thanks very much for the suggestion, I’ll try that.
I’ve been surprised how much information I get from iptraf-ng, which I only discovered recently. I knew about “arp -a”, but I’m told I should be using “ip neigh”. However, that doesn’t give the name of each device on the network
(if known), as arp does.
Try putting this line
IPV6INIT=no
in the relevant config file, probably something like
/etc/sysconfig/networking/devices/ifcfg-eth?
then restart your network.
ken wrote:
I don’t have a directory /etc/sysconfig/networking/ on my CentOS-7 server, but I have IPV6INIT=no in /etc/sysconfig/network-scripts/ifcfg-enp{23}s0 .
Incidentally, I haven’t yet worked out how to get any useful information from nmap, as suggested by Johnny Hughes – I only get information about open ports, which is interesting but not relevant to my query about the 169.254.* address appearing in “arp -a” on my server. I looked at “man nmap” but there seem to be an infinity of options.
assuming nmap says there’s a web server running, can you connect to it? how did you run nmap against it? I’d think you would have to create a dummy interface on the same network range to be able to communicate to it. I suspect something like a service processor/ilo/rilo/whatever HP calls their management interface.
could you have powered the machine up first then waited a little while before putting network cables in, esp in the one labeled ‘mgmt’?
zep wrote:
Thank you for your response. However, you would probably have to give specific commands for me to understand your suggestions.
There is a web server running on my home server “helen” at 192.168.2.5
which I can access with Firefox or Chrome by browsing to “helen”.
(The server is accessible remotely at http://www.gayleard.com .)
How do you suggest I use nmap to find if there is a web server running?
“sudo nmap -v -sn 192.168.0.0/16 10.0.0.0/8” tells me
Nmap scan report for helen (192.168.2.5)
Host is up (0.0037s latency).
MAC Address: 00:1B:21:9F:36:DB (Intel Corporate)
but I already knew that from “arp -a”.
I’m not sure what that means.
Again, I’m not sure what you mean.
“sudo locate rilo” doesn’t find anything on my HP Microserver, which is running under CentOS-7.1 . Does HP have a “management interface” on my server?
What would it be called?
the “gen0” original microservers with the NxxL “Neo” processors have a OPTIONAL remote management card that implments IPMI and iLO. I don’t have one in mine.
Thanks for your comment, which led me to recall that when I started up my two HP Microservers almost 5 years ago under CentOS-5.5/KDE, I did look at the Remote Access Card. But I found that after installing an Intel PCIe Ethernet card there was no room in the rather crowded server for a second PCIe card.
You’re seeing a strange IPv4 address on your network. Changing IPv6
won’t affect that in any way, and I recommend leaving IPv6 enabled. If nothing else, v6 capable applications work better when you have v6
connectivity.
I’m not sure if Linux will cache an ARP entry if the host sends an unsolicited update, but you normally won’t have a route to that address to scan it. Run ‘ip route show’ to see if you have a route to the address you’re seeing (the link-local network is 169.254.0.0/16).
If you don’t see a direct route, then add an address on your system so that you can reach the link-local host:
ip addr add 169.254.192.100/16 dev eth0
Once you have an address on the link-local network, you should be able to ping or scan the unknown device. Use nmap:
nmap -sS -O 169.254.192.123
That command will scan common ports on the unknown device and attempt to guess its operating system.
14 thoughts on - OT Strange IP Address On Home Network
It’s a Zero Config IP address. Most likely a host with zero config enabled, pretty much all Windows by default, was unable to get an IP
from DHCP.
Sounds like you have a host with a NIC that’s configured for DHCP but either can’t communicate with the DHCP server, or there are no free IPs for the DHCP server to give it.
—
Mark Haney ::: Senior Systems Engineer
*VIF* International Education P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office
Global learning for all. http://www.vifprogram.com
<http://www.vifprogram.com/?utm_source=signature&utm_medium=email&utm_campaign=VIF>
Find VIF on Facebook <http://facebook.com/VIFInternationalEducation> |
Twitter <http://twitter.com/vifprogram> | LinkedIn
<http://www.linkedin.com/company/vif-international-education>
Recognized as a ‘Best for the World’
<http://bestfortheworld.bcorporation.net/> B Corp!
Mark Haney wrote:
Thanks for your response. I should have said I’m running CentOS-7.1 on my home server. Also the actual “arp -a” entry on the server is
(169.254.192.123) at 30:10:b3:2e:cb:ff
I see that 30:10:b3 is assigned to Lite-On (or Liteon)
which is a Taiwan company, who sell network cards among other things. And I find when I google to “liteon wifi network”
that there are many queries (and complaints) about mysterious links involving liteon devices.
So I guess the strange IP address probably comes from some Lite-On device somewhere in my house – maybe on the server itself, an HP MicroServer. There are so many possible electronic culprits today.
My HP Microserver N40L (the original version), the NIC is Broadcom,
02:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5723
Gigabit Ethernet PCIe (rev 10)
and its MAC is A0:B3:CC:xx:xx:xx
John R Pierce wrote:
I have the same Broadcom controller in my MicroServer, but there is a second Intel 82574L ethernet controller in the machine, which could conceivably be the culprit.
What I don’t really understand is why the dhcpd server on my CentOS machine does not give this device a proper address.
(There are lots of spare 192.168.2.* slots.)
As far as I can see from iptraf-ng, no packets are currently coming or going from this 169.254.* address, which I see from google is a “link-local” address.
You should be able to use nmap to scan the device.
Johnny Hughes wrote:
Thanks very much for the suggestion, I’ll try that.
I’ve been surprised how much information I get from iptraf-ng, which I only discovered recently. I knew about “arp -a”, but I’m told I should be using “ip neigh”. However, that doesn’t give the name of each device on the network
(if known), as arp does.
Try putting this line
IPV6INIT=no
in the relevant config file, probably something like
/etc/sysconfig/networking/devices/ifcfg-eth?
then restart your network.
ken wrote:
I don’t have a directory /etc/sysconfig/networking/ on my CentOS-7 server, but I have IPV6INIT=no in /etc/sysconfig/network-scripts/ifcfg-enp{23}s0 .
Incidentally, I haven’t yet worked out how to get any useful information from nmap, as suggested by Johnny Hughes – I only get information about open ports, which is interesting but not relevant to my query about the 169.254.* address appearing in “arp -a” on my server. I looked at “man nmap” but there seem to be an infinity of options.
assuming nmap says there’s a web server running, can you connect to it? how did you run nmap against it? I’d think you would have to create a dummy interface on the same network range to be able to communicate to it. I suspect something like a service processor/ilo/rilo/whatever HP calls their management interface.
could you have powered the machine up first then waited a little while before putting network cables in, esp in the one labeled ‘mgmt’?
zep wrote:
Thank you for your response. However, you would probably have to give specific commands for me to understand your suggestions.
There is a web server running on my home server “helen” at 192.168.2.5
which I can access with Firefox or Chrome by browsing to “helen”.
(The server is accessible remotely at http://www.gayleard.com .)
How do you suggest I use nmap to find if there is a web server running?
“sudo nmap -v -sn 192.168.0.0/16 10.0.0.0/8” tells me
Nmap scan report for helen (192.168.2.5)
Host is up (0.0037s latency).
MAC Address: 00:1B:21:9F:36:DB (Intel Corporate)
but I already knew that from “arp -a”.
I’m not sure what that means.
Again, I’m not sure what you mean.
“sudo locate rilo” doesn’t find anything on my HP Microserver, which is running under CentOS-7.1 . Does HP have a “management interface” on my server?
What would it be called?
the “gen0” original microservers with the NxxL “Neo” processors have a OPTIONAL remote management card that implments IPMI and iLO. I don’t have one in mine.
here’s someones blog about bringing his up. https://www.liquidstate.net/hp-microserver-n40l/
John R Pierce wrote:
Thanks for your comment, which led me to recall that when I started up my two HP Microservers almost 5 years ago under CentOS-5.5/KDE, I did look at the Remote Access Card. But I found that after installing an Intel PCIe Ethernet card there was no room in the rather crowded server for a second PCIe card.
You’re seeing a strange IPv4 address on your network. Changing IPv6
won’t affect that in any way, and I recommend leaving IPv6 enabled. If nothing else, v6 capable applications work better when you have v6
connectivity.
I’m not sure if Linux will cache an ARP entry if the host sends an unsolicited update, but you normally won’t have a route to that address to scan it. Run ‘ip route show’ to see if you have a route to the address you’re seeing (the link-local network is 169.254.0.0/16).
If you don’t see a direct route, then add an address on your system so that you can reach the link-local host:
ip addr add 169.254.192.100/16 dev eth0
Once you have an address on the link-local network, you should be able to ping or scan the unknown device. Use nmap:
nmap -sS -O 169.254.192.123
That command will scan common ports on the unknown device and attempt to guess its operating system.