Monday, October 22, 2012

Network Conflict

Sometimes I get weird connectivity issues with one of our test machines. It's like someone out there is clobbering me on the network. It turns out this is almost always because someone has hijacked my IP. I thought it was because we have so many vmware ESX images. Each one is dished out an incrementing mac address, so if you have two ESX boxes out there, won't there be conflict?

Turns out that's not the problem. Someone has a box that gets a valid IP from the DHCP server, then they snapshot it in the running state. Then they take it offline. Much later, that IP has been dished out to my box. Then they fire up that old snapshot, and since they don't reboot, they're trying to use my IP. Then hijinks ensues.

How to find the guy that stole your IP

Power off your box and ping the IP. If it comes back you have proof that someone else is using your IP. Then run nbtstat. I've anomonyzed 10.4.001.01, 10.4.002.03, MACHINE_NAME1, and MACHINE_NAME2.

C:\>nbtstat -a 10.4.001.01

VMware Network Adapter VMnet8:
Node IpAddress: [192.168.48.1] Scope Id: []

    Host not found.

VMware Network Adapter VMnet1:
Node IpAddress: [192.168.71.1] Scope Id: []

    Host not found.

Local Area Connection 3:
Node IpAddress: [10.4.002.03] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    MACHINE_NAME1  <00>  UNIQUE      Registered
    MACHINE_NAME2  <00>  GROUP       Registered
    MACHINE_NAME1  <20>  UNIQUE      Registered

    MAC Address = 00-0C-29-8F-2C-9E

Hopefully there is enough info in MACHINE_NAME1 and MACHINE_NAME2 for you to find out who owns those boxes. You can also try nslookup. If the IP for MACHINE_NAME1 is different then the one it is using then you know that the probelm isn't at the DCHP server (who has told MACHINE_NAME1 to be 10.4.001.05).

C:\>nslookup MACHINE_NAME1
Server:  DHCP_SERVER_NAME
Address:  10.4.001.04

Non-authoritative answer:
Name:    MACHINE_NAME1
Address:  10.4.001.05
{ "loggedin": false, "owner": false, "avatar": "", "render": "nothing", "trackingID": "UA-36983794-1", "description": "How to find the person that hijacked your IP. This can happen frequently by accident in a dev organization where you have to assign static IPs to ESX images.", "page": { "blogIds": [ 246 ] }, "domain": "holtstrom.com", "base": "\/michael", "url": "https:\/\/holtstrom.com\/michael\/", "frameworkFiles": "https:\/\/holtstrom.com\/michael\/_framework\/_files.4\/", "commonFiles": "https:\/\/holtstrom.com\/michael\/_common\/_files.3\/", "mediaFiles": "https:\/\/holtstrom.com\/michael\/media\/_files.3\/", "tmdbUrl": "http:\/\/www.themoviedb.org\/", "tmdbPoster": "http:\/\/image.tmdb.org\/t\/p\/w342" }