This question brought to you by the letters AA-BB-CC-DD-EE-FF
March 8, 2008 12:50 PM Subscribe
My son lives four hours away. I'm trying to do phone support for him on his PC (XP pro), which won't connect to the internet. In asking him to try various things and report what (if anything) happened we discovered that ipconfig /all is reporting his MAC address as 00-11-22-33-44-55. Nuh-huh! Fuller violently shakes head until pea brain rattles.
I built this PC myself back around Christmas and documented it from soup to nuts. That is NOT NOT NOT it's true MAC address. Can anyone suggest where it might be coming from?
I know of two ways to spoof a MAC address in XP, one done using the NIC's properties (Advanced/Network Address/Value) and the other being a registry hack. The NIC's properties have not been diddled with; and I had him search in regedit for the string that's being reported as the spurious MAC address. Not found. Where else might a phony MAC address be imposed on the system?
Oh, google. It's no help because so many people use that string to describe the form of a MAC address ("Look for a number that looks like 00-11-22-33-44-55.")
I built this PC myself back around Christmas and documented it from soup to nuts. That is NOT NOT NOT it's true MAC address. Can anyone suggest where it might be coming from?
I know of two ways to spoof a MAC address in XP, one done using the NIC's properties (Advanced/Network Address/Value) and the other being a registry hack. The NIC's properties have not been diddled with; and I had him search in regedit for the string that's being reported as the spurious MAC address. Not found. Where else might a phony MAC address be imposed on the system?
Oh, google. It's no help because so many people use that string to describe the form of a MAC address ("Look for a number that looks like 00-11-22-33-44-55.")
Are you sure that's not the MAC address for some attached device like a DSL or Cable Modem?
You maybe over thinking your troubleshooting here. Bizarre MAC spoofing and the like are extremely rare types of problems...
posted by wfrgms at 1:05 PM on March 8, 2008
You maybe over thinking your troubleshooting here. Bizarre MAC spoofing and the like are extremely rare types of problems...
posted by wfrgms at 1:05 PM on March 8, 2008
One of the first things I try when things are obviously wonky is WinSockFix which will reset the various TCP and Winsock registry values to their default values.
posted by limon at 2:00 PM on March 8, 2008
posted by limon at 2:00 PM on March 8, 2008
Best answer: When you got him to search the registry for the wonky MAC, did he search for 00-11-22-33-44-55 or 001122334455?
posted by flabdablet at 3:15 PM on March 8, 2008
posted by flabdablet at 3:15 PM on March 8, 2008
Response by poster: tracert:
> Virtual adaptor or network bridge installed?
Yes, he has a Hamachi VPN client running (I hoped to be able to do fixes for him and be able to see a remote desktop to work in. And I could, for a while.) Hamachi causes another adapter to show up in the ipconfig output. But I installed and tested Hamachi before I shipped the PC off, and it didn't do anything odd to the MAC address reported by ipconfig for the "Ethernet adapter Local Area Connection," which is the one now showing Physical Address 00-11-22-33-44.55.
wfrgms:
> You maybe over thinking your troubleshooting here. Bizarre MAC spoofing and the like are extremely rare types of problems...
I don't suspect anything done by the Black Hand of the HaX0rz here. I suspect, or at least wonder about, something possibly done by the Charter service guy who visited them just before their network flakiness started. That was right after one of the house tenants got a laptop and there was competition over who got to plug in to the single ethernet port on the cable modem. So they paid Charter to come and install a wireless modem. In the course of his visit the Charter guy noticed that my son had the Hamachi client running and told him "Your computer has a new network address and Hamachi probably won't recognize it any more." My son swears he's quoting the fellow exactly.
"Network address", forsooth. Vas is das network address? He can't have meant IP address, both the desktop PC and the laptop were set up for DHCP and could potentially have lost their lease and been assigned a new IP at any time, and that isn't supposed to break anything. So I'm guessing he meant MAC address--and indeed that's the address that's new and different and not in a good way. Why might he have done this? No clue. He didn't leave a filled out work order or even a card with his name, and none of these unsuspicious young people thought to ask.
k8t:
> Did you try to release and renew all ipconfig?
I would have, but when I noticed this funny MAC I also saw the PC wasn't getting any DHCP assignment. DHCP is turned on but the IP had been autoconfigured as 169.254.7.33, which is in the range that XP assigns itself when it has gone looking for a DHCP server and not found one. There are nice bright link lights at both NIC and modem, but that's as close to connecting as we get. (Automatic Private IP Addressing (APIPA) also assigns itself a mask of 255.255.0.0 which is wrong for this PC, but I never heard it read of it assigning the PC an oddball soft MAC.)
limon :
> One of the first things I try when things are obviously wonky is WinSockFix
That looks very useful, I'll certainly download it against future problems, but I didn't load it on the broke PC back when I had the chance and now it's hundreds of miles away ond off the net. Maybe my son can get a friend to d/l it for him and copy it to his USB drive. I'll suggest that.
flabdablet:
> When you got him to search the registry for the wonky MAC, did he search for 00-11-22-33-44-55
> or 001122334455?
Um (blush.) Guess I'll ask him to do that one again.
posted by jfuller at 5:03 PM on March 8, 2008
> Virtual adaptor or network bridge installed?
Yes, he has a Hamachi VPN client running (I hoped to be able to do fixes for him and be able to see a remote desktop to work in. And I could, for a while.) Hamachi causes another adapter to show up in the ipconfig output. But I installed and tested Hamachi before I shipped the PC off, and it didn't do anything odd to the MAC address reported by ipconfig for the "Ethernet adapter Local Area Connection," which is the one now showing Physical Address 00-11-22-33-44.55.
wfrgms:
> You maybe over thinking your troubleshooting here. Bizarre MAC spoofing and the like are extremely rare types of problems...
I don't suspect anything done by the Black Hand of the HaX0rz here. I suspect, or at least wonder about, something possibly done by the Charter service guy who visited them just before their network flakiness started. That was right after one of the house tenants got a laptop and there was competition over who got to plug in to the single ethernet port on the cable modem. So they paid Charter to come and install a wireless modem. In the course of his visit the Charter guy noticed that my son had the Hamachi client running and told him "Your computer has a new network address and Hamachi probably won't recognize it any more." My son swears he's quoting the fellow exactly.
"Network address", forsooth. Vas is das network address? He can't have meant IP address, both the desktop PC and the laptop were set up for DHCP and could potentially have lost their lease and been assigned a new IP at any time, and that isn't supposed to break anything. So I'm guessing he meant MAC address--and indeed that's the address that's new and different and not in a good way. Why might he have done this? No clue. He didn't leave a filled out work order or even a card with his name, and none of these unsuspicious young people thought to ask.
k8t:
> Did you try to release and renew all ipconfig?
I would have, but when I noticed this funny MAC I also saw the PC wasn't getting any DHCP assignment. DHCP is turned on but the IP had been autoconfigured as 169.254.7.33, which is in the range that XP assigns itself when it has gone looking for a DHCP server and not found one. There are nice bright link lights at both NIC and modem, but that's as close to connecting as we get. (Automatic Private IP Addressing (APIPA) also assigns itself a mask of 255.255.0.0 which is wrong for this PC, but I never heard it read of it assigning the PC an oddball soft MAC.)
limon :
> One of the first things I try when things are obviously wonky is WinSockFix
That looks very useful, I'll certainly download it against future problems, but I didn't load it on the broke PC back when I had the chance and now it's hundreds of miles away ond off the net. Maybe my son can get a friend to d/l it for him and copy it to his USB drive. I'll suggest that.
flabdablet:
> When you got him to search the registry for the wonky MAC, did he search for 00-11-22-33-44-55
> or 001122334455?
Um (blush.) Guess I'll ask him to do that one again.
posted by jfuller at 5:03 PM on March 8, 2008
Best answer: Don't put too much faith into word-for-word quotes of what Tech Dude said - There may be a slip of the tongue, a slip of the mind, or a simplification of terms at work here. When I worked for Large Cable ISP(TM), I'd simplify things to cover due diligence, without setting myself up to explain things I didn't have time to go over.
Here's what a 169'ing NIC's settings will look like:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : MAC Bridge Miniport
Physical Address. . . . . . . . . : 02-15-AF-64-16-F2
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.188.125
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
The 255.255.0.0 netmask is standard, and correct. It's not able to reach a DHCP server, for whatever reason.
Is he connecting directly to a cable modem? DSL device? Router? Has he tried a new strand of CAT5 cable? Has the device he's connecting to been power-cycled or otherwise reset?
Reset the modem - At least for Cox, IP addresses are assigned to the first MAC address the modem sees after powerup/DHCP request. If the modem was connected to Device A, and is now connected to Device B, and they have different MAC addresses, Device B won't be assigned a DHCP lease. Resetting the modem (usually) clears any provisioning of IP addresses, and the next DHCP request sent across from that modem would be honored. (MAC address collision was never an issue - The IPs were assigned to the NIC MAC speaking over a particular modem MAC).
Other ISPs are a bit more restrictive, and will only assign an IP address to a specific MAC address on a given cable modem, and may require a call for them to provision an IP address to a new MAC address. I have no personal experience with these systems, except for one tiny market, and we handled those without issue.
posted by Rendus at 7:19 PM on March 8, 2008
Here's what a 169'ing NIC's settings will look like:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : MAC Bridge Miniport
Physical Address. . . . . . . . . : 02-15-AF-64-16-F2
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.188.125
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
The 255.255.0.0 netmask is standard, and correct. It's not able to reach a DHCP server, for whatever reason.
Is he connecting directly to a cable modem? DSL device? Router? Has he tried a new strand of CAT5 cable? Has the device he's connecting to been power-cycled or otherwise reset?
Reset the modem - At least for Cox, IP addresses are assigned to the first MAC address the modem sees after powerup/DHCP request. If the modem was connected to Device A, and is now connected to Device B, and they have different MAC addresses, Device B won't be assigned a DHCP lease. Resetting the modem (usually) clears any provisioning of IP addresses, and the next DHCP request sent across from that modem would be honored. (MAC address collision was never an issue - The IPs were assigned to the NIC MAC speaking over a particular modem MAC).
Other ISPs are a bit more restrictive, and will only assign an IP address to a specific MAC address on a given cable modem, and may require a call for them to provision an IP address to a new MAC address. I have no personal experience with these systems, except for one tiny market, and we handled those without issue.
posted by Rendus at 7:19 PM on March 8, 2008
fuller, i messaged you some information that might help. let me know.
posted by Breo at 8:44 PM on March 8, 2008
posted by Breo at 8:44 PM on March 8, 2008
Response by poster: You know, this is why I never ask relationship questions in askme. The answers to techie questions are just so much more fun.
I did another phone session concerning the problem(s), this time with the lady who wants to get on the net with her laptop (though she was actually typing at and making changes to my son's PC. All in the interest of getting it out of her way, heh.) I still don't know what the problem was or is but I just punted on DHCP. The last time this PC worked for them, it had been assigned IP 192.168.0.11, netmask 255.255.255.0 and gateway 192.168.0.1, so I had her plug all these in as static entries. Bingo, internet.
When we left it for the night we still didn't have functioning DNS so she can browse but only by numerical address, which isn't a whole lot of use. The machine had the modem entered as the primary DNS server and a Charter machine (24.197.160.21) as the secondary and wasn't getting any response from either. I did a bit of searching later and found a bunch of public DNS servers that seem to work OK for me where I am (listed below). Tomorrow I'll suggest they plug one or two of these in and see if that helps with browsing by name. After that, maybe we'll find out whether the modem's address for DHCP server and default gateway (both were 192.168.0.1) is also the address of its internal config web page, and if so are the default login and password still in place. If all that works out we'll be in and we'll just turn DHCP off. I feel sure they can keep track of a static-IP network with two or three nodes.
There's still the very curious Case of the Too-Regular MAC. Per flabdablet I asked her to search the registry again, this time for 001122334455, and the search did appear to find something, if the search term was typed exactly--at least it stopped before the "finished searching the registry" message appeared. But I can't be sure what she found, and she was tired and didn't want to scroll back up the tree and see if it was the right key--that being
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Control\
Class\
{4D36E972-E325-11CE-BFC1-08002BE10318}\
[interface number, e.g.0001, 0002, etc.]\
NetworkAddress
So in the absence of further light the 00-11-22-33-44-55 physical address remains a mystery. If I can get them completely back on the i-net so that Hamachi works again, I'll be able to do a remote registry edit session and find out for sure.
----------
PS, public DNS servers working right now:
204.117.214.10.......Sprintlink
128.107.241.185.....Cisco
207-69.188.187.......Earthlink
4.2.2.1.....................Verizon
posted by jfuller at 9:34 PM on March 8, 2008
I did another phone session concerning the problem(s), this time with the lady who wants to get on the net with her laptop (though she was actually typing at and making changes to my son's PC. All in the interest of getting it out of her way, heh.) I still don't know what the problem was or is but I just punted on DHCP. The last time this PC worked for them, it had been assigned IP 192.168.0.11, netmask 255.255.255.0 and gateway 192.168.0.1, so I had her plug all these in as static entries. Bingo, internet.
When we left it for the night we still didn't have functioning DNS so she can browse but only by numerical address, which isn't a whole lot of use. The machine had the modem entered as the primary DNS server and a Charter machine (24.197.160.21) as the secondary and wasn't getting any response from either. I did a bit of searching later and found a bunch of public DNS servers that seem to work OK for me where I am (listed below). Tomorrow I'll suggest they plug one or two of these in and see if that helps with browsing by name. After that, maybe we'll find out whether the modem's address for DHCP server and default gateway (both were 192.168.0.1) is also the address of its internal config web page, and if so are the default login and password still in place. If all that works out we'll be in and we'll just turn DHCP off. I feel sure they can keep track of a static-IP network with two or three nodes.
There's still the very curious Case of the Too-Regular MAC. Per flabdablet I asked her to search the registry again, this time for 001122334455, and the search did appear to find something, if the search term was typed exactly--at least it stopped before the "finished searching the registry" message appeared. But I can't be sure what she found, and she was tired and didn't want to scroll back up the tree and see if it was the right key--that being
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Control\
Class\
{4D36E972-E325-11CE-BFC1-08002BE10318}\
[interface number, e.g.0001, 0002, etc.]\
NetworkAddress
So in the absence of further light the 00-11-22-33-44-55 physical address remains a mystery. If I can get them completely back on the i-net so that Hamachi works again, I'll be able to do a remote registry edit session and find out for sure.
----------
PS, public DNS servers working right now:
204.117.214.10.......Sprintlink
128.107.241.185.....Cisco
207-69.188.187.......Earthlink
4.2.2.1.....................Verizon
posted by jfuller at 9:34 PM on March 8, 2008
Best answer: Delete that reg value and reboot to restore the original MAC. I've used that reg hack (specifically creating the "NetworkAddress" reg value; it typically does not exist by default) at work to spoof a MAC address to get around funky software licensing after a mobo replacement. The usual warnings about registry editing apply; YMMV etc.
Why is it there to begin with? NFI, seems fishy.
posted by lordaych at 10:07 PM on March 8, 2008
Why is it there to begin with? NFI, seems fishy.
posted by lordaych at 10:07 PM on March 8, 2008
Best answer: Hmmm, check this out, specifically:
Maybe the security suite plays a role in creating this bogus address, or it's just thrown in during the initial configuration by the tech. Typically when a high-speed internet provider insists on installing their own software for whatever purpose, I let 'em do it on a single sacrificial machine only to remove it later; rarely is the software truly necessary and in most cases it's either up to know good (bordering on spyware) or just plain obnoxious.
Don't know if blowing away the bogus MAC would help, but I wouldn't be surprised if it did...or didn't :) Of course you won't blow away the reg value without backing it up first ;)
posted by lordaych at 10:36 PM on March 8, 2008
Connects up to five total computers, four wireless.I wouldn't be surprised if they spoof your MAC address in an effort to control the number of simultaneous connections to the router they provide. Possibly disrupts DHCP negotiation once you hit a certain number of machines.
...
Includes the Charter security suite with protection for up to five computers.
Maybe the security suite plays a role in creating this bogus address, or it's just thrown in during the initial configuration by the tech. Typically when a high-speed internet provider insists on installing their own software for whatever purpose, I let 'em do it on a single sacrificial machine only to remove it later; rarely is the software truly necessary and in most cases it's either up to know good (bordering on spyware) or just plain obnoxious.
Don't know if blowing away the bogus MAC would help, but I wouldn't be surprised if it did...or didn't :) Of course you won't blow away the reg value without backing it up first ;)
posted by lordaych at 10:36 PM on March 8, 2008
Instead of using other ISP's public DNS, use OpenDNS's. They won't change, for one thing.
posted by DangerIsMyMiddleName at 12:18 AM on March 9, 2008
posted by DangerIsMyMiddleName at 12:18 AM on March 9, 2008
Reset the modem - At least for Cox, IP addresses are assigned to the first MAC address the modem sees after powerup/DHCP request. If the modem was connected to Device A, and is now connected to Device B, and they have different MAC addresses, Device B won't be assigned a DHCP lease. Resetting the modem (usually) clears any provisioning of IP addresses, and the next DHCP request sent across from that modem would be honored.
Many good answers here so far. Only thing I would add is that when resetting the modem, leave it unplugged for at least 10 minutes. Sometimes it takes that long.
posted by Brian James at 12:18 PM on March 9, 2008
Many good answers here so far. Only thing I would add is that when resetting the modem, leave it unplugged for at least 10 minutes. Sometimes it takes that long.
posted by Brian James at 12:18 PM on March 9, 2008
This thread is closed to new comments.
posted by k8t at 1:04 PM on March 8, 2008