About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!
-
@x23piracy said in About 50 Pending macs for one host?:
ipconfig /all > %hostname%_mac.txt will not destroy something, harmless
This is harmless. What it does it this
ipconfig /alllists all of the network adapters with all data. You may be able to get just the mac addresses of all network adapters if you have powershell or VB skills. I was just looking at quick and easy.
> %hostname%_mac.txtsends the output ofipconfig /allto a file titled%hostname%of the computer and_mac.txt. Then you can manually review this file for like mac addresses. Tom gave you a clue to what the troubled mac address could be. You will need to be Shurlock Holmes and find it. -
@Tom-Elliott @george1421 @Wayne-Workman i could get the desired info from most of the system i found with duplicate macs:
it3210: https://pastebin.com/NLU4uZjM
it3256: https://pastebin.com/4ek2esnT
it3286: https://pastebin.com/KnQ8PWZK
it3905: https://pastebin.com/BKREi3Fu
it4004: https://pastebin.com/v3kxZrk2
it4027: https://pastebin.com/sC01izYN
it4092: https://pastebin.com/v7p1SbZvWhat i found out so far:
00:50:56:C0:00:01 VMWare
00:50:56:C0:00:08 VMWare
02:80:37:EC:02:00 WWAN Device (H5321) Ericsson
00:11:6B:66:3C:89 still unclear (Systems are currently not connectable)Edit:
I could Check it3394 for the 00:11:6B:66:3C:89 mac but the system does not have any device with that mac associated so what should i do know? Set the both vmware macs oon the filter list and also add the wwan device?
My pending mac list ist getting fuller and fuller actually there are more then 300 pending macs from it4314, i need to get rid of this.
Regards X23
-
@x23piracy said in About 50 Pending macs for one host?:
Set the both vmware macs oon the filter list and also add the wwan device?
Correct.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
Daily Clean Installation Results:
https://fogtesting.fogproject.us/
FOG Reporting:
https://fog-external-reporting-results.fogproject.us/ -
@Wayne-Workman i’ve done the following:
I will now delete all pending macs to see if they come back or not.
Regards X23
-
@x23piracy You can do partial filters.
Meaning you could do:
00:50:56,02:80:37so Any mac address that matches the prefix will be filtered.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Tom-Elliott ok i’ve shortened it to the first 3 octetts like you recommended. I’ve read the hint for the setting but i thougth filtering until mac change would be better, but i did what you told me
-
@Tom-Elliott @Wayne-Workman the first pending mac is back
argh oh nooo
I cannot find this MAC Adress (d2:b1:a5:d6:12:7c) on any MAC Vendor list, this sounds to me like a virtual adapter too.
Would it be a good idea to also filter d2:b1:a5 without any research? -
@x23piracy we need to found it why it thinks it’s it4314 first.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Tom-Elliott sorry i really would do this but i am a little bit lost with it
what should i do next? any help is appreciated. -
@x23piracy You can look in the access log and hopefully see the host that applied this mac address.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
172.19.101.150 - - [08/Jun/2017:13:18:25 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:18:27 +0200] "GET /fog/service/usertracking.report.php?action=login&user=it4314%5Ccca&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 583 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:20:37 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:23:08 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:24:19 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-" 172.19.101.150 - - [08/Jun/2017:13:26:44 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"172.19.101.150 belongs to IT4314
hrhr -
So what we know, so far, is it appears IT4314 IS registering these pending macs?
-
@Tom-Elliott after chatting with tom we decided to remove the fog client from it4314, i also removed all the pending macs again. Now lets wait what happens.
-
@Tom-Elliott Information about IT4314
ipconfig /all
Windows-IP-Konfiguration Hostname . . . . . . . . . . . . : it4314 Prim„res DNS-Suffix . . . . . . . : haan.local Knotentyp . . . . . . . . . . . . : Hybrid IP-Routing aktiviert . . . . . . : Nein WINS-Proxy aktiviert . . . . . . : Nein DNS-Suffixsuchliste . . . . . . . : haan.local carbolite.local Ethernet-Adapter Ethernet: Verbindungsspezifisches DNS-Suffix: haan.local Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Verbindungslokale IPv6-Adresse . : fe80::6844:9327:ec81:4731%11(Bevorzugt) IPv4-Adresse . . . . . . . . . . : 172.19.101.150(Bevorzugt) Subnetzmaske . . . . . . . . . . : 255.255.252.0 Lease erhalten. . . . . . . . . . : Donnerstag, 8. Juni 2017 13:20:03 Lease l„uft ab. . . . . . . . . . : Freitag, 9. Juni 2017 13:20:03 Standardgateway . . . . . . . . . : 172.19.100.1 DHCP-Server . . . . . . . . . . . : 172.19.100.9 DHCPv6-IAID . . . . . . . . . . . : 54571060 DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2 DNS-Server . . . . . . . . . . . : 172.19.100.9 172.19.100.10 NetBIOS ber TCP/IP . . . . . . . : Aktiviert Drahtlos-LAN-Adapter LAN-Verbindung* 2: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Ethernet-Adapter Bluetooth-Netzwerkverbindung: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja Drahtlos-LAN-Adapter WLAN: Medienstatus. . . . . . . . . . . : Medium getrennt Verbindungsspezifisches DNS-Suffix: haan.local Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260 Physische Adresse . . . . . . . . : 72-3F-F5-26-FF-6C DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : JaInstalled Software:
Network devices in device manager:
-
@Tom-Elliott @george1421 @Wayne-Workman It looks like the pending macs have stopped accouring since i uninstalled the fog client from the machine it4314, can someone identify something crude in installed software, ipconfig and or network nics? My post before with the Screenshots.
║▌║█║▌│║▌║▌█
-
@x23piracy This is interesting. Did you only uninstall the fog client, or did you delete the host in fog too? Also, we must remember you put those MACs in the mac filter list as well. All those things are in play still. We need to eliminate variables.
-
@x23piracy Windows 10 has this feature to “randomize” mac’s to help prevent hijacking of your ip’s. Maybe this is enabled on this machine?
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.
Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)
Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG
-
@Tom-Elliott Why on earth would they do such a thing.
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
Daily Clean Installation Results:
https://fogtesting.fogproject.us/
FOG Reporting:
https://fog-external-reporting-results.fogproject.us/ -
@Wayne-Workman “In the name of security”
-
@Tom-Elliott no since this notebook has been deployed with our image this can’t be enabled, the only option could be the user itself. I’ve never heared about this where can this be enabled/disabled?
