Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"If truth is beauty, how come no one has their hair done in the library?" -- Lily Tomlin


computers / comp.os.linux.misc / ghost interfaces in the sky

SubjectAuthor
* ghost interfaces in the skyThe Natural Philosopher
+* Re: ghost interfaces in the skyAnssi Saari
|`- Re: ghost interfaces in the skyThe Natural Philosopher
`* Re: ghost interfaces in the skyPascal Hambourg
 `* Re: ghost interfaces in the skyThe Natural Philosopher
  +* Re: ghost interfaces in the skyRobert Heller
  |`* Re: ghost interfaces in the skyThe Natural Philosopher
  | `* Re: ghost interfaces in the skyRobert Heller
  |  `- Re: ghost interfaces in the skyThe Natural Philosopher
  `* Re: ghost interfaces in the skyPascal Hambourg
   +* Re: ghost interfaces in the skyThe Natural Philosopher
   |`* Re: ghost interfaces in the skyPascal Hambourg
   | `* Re: ghost interfaces in the skyThe Natural Philosopher
   |  +* Re: ghost interfaces in the skyPascal Hambourg
   |  |+* Re: ghost interfaces in the skyThe Natural Philosopher
   |  ||`* Re: ghost interfaces in the skyPascal Hambourg
   |  || `* Re: ghost interfaces in the skyThe Natural Philosopher
   |  ||  `* Re: ghost interfaces in the skyRobert Heller
   |  ||   +* Re: ghost interfaces in the skyJoe Beanfish
   |  ||   |`- Re: ghost interfaces in the skyThe Natural Philosopher
   |  ||   `* Re: ghost interfaces in the skyThe Natural Philosopher
   |  ||    `* Re: ghost interfaces in the skyAnssi Saari
   |  ||     `* Re: ghost interfaces in the skyThe Natural Philosopher
   |  ||      `* Re: ghost interfaces in the skyDavid W. Hodgins
   |  ||       `- Re: ghost interfaces in the skyThe Natural Philosopher
   |  |`* Re: ghost interfaces in the skyThe Natural Philosopher
   |  | `* Re: ghost interfaces in the skyPascal Hambourg
   |  |  `* Re: ghost interfaces in the skyThe Natural Philosopher
   |  |   `* Re: ghost interfaces in the skyRobert Heller
   |  |    `* Re: ghost interfaces in the skyPascal Hambourg
   |  |     `- Re: ghost interfaces in the skyThe Natural Philosopher
   |  `* Re: ghost interfaces in the skyDavid W. Hodgins
   |   `* Re: ghost interfaces in the skyThe Natural Philosopher
   |    `* Re: ghost interfaces in the skyDavid W. Hodgins
   |     `- Re: ghost interfaces in the skyThe Natural Philosopher
   `* Re: ghost interfaces in the skyThe Natural Philosopher
    `* Re: ghost interfaces in the skyRichard Kettlewell
     `* Re: ghost interfaces in the skyThe Natural Philosopher
      `* Re: ghost interfaces in the skyRichard Kettlewell
       +* Re: ghost interfaces in the skyRichard Kettlewell
       |`* Re: ghost interfaces in the skyThe Natural Philosopher
       | `* Re: ghost interfaces in the skyDavid W. Hodgins
       |  `* Re: ghost interfaces in the skyRichard Kettlewell
       |   `* Re: ghost interfaces in the skyMarc Haber
       |    `- Re: ghost interfaces in the skyThe Natural Philosopher
       +- Re: ghost interfaces in the skyThe Natural Philosopher
       `* Re: ghost interfaces in the skyThe Natural Philosopher
        `* Re: ghost interfaces in the skyTauno Voipio
         `* Re: ghost interfaces in the skyThe Natural Philosopher
          `- Re: ghost interfaces in the skyTauno Voipio

Pages:12
ghost interfaces in the sky

<s95vd0$98r$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5148&group=comp.os.linux.misc#5148

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: ghost interfaces in the sky
Date: Tue, 1 Jun 2021 19:47:59 +0100
Organization: A little, after lunch
Lines: 173
Message-ID: <s95vd0$98r$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 1 Jun 2021 18:48:00 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="1f68c5aba54729f281fd9a6f886930f0";
logging-data="9499"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+aKv9o8s2eEpAgLen+Z5G8K6fDGIKbMog="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:2iMAZkwZq54Gvm22iYg+8T6wr8M=
Content-Language: en-GB
X-Mozilla-News-Host: news://news.eternal-september.org:119
 by: The Natural Philosop - Tue, 1 Jun 2021 18:47 UTC

I have a server
Its name is cymbeline

Its been rebuilt several times. currently its a fairly vanilla linux
mint MATE 20.1

When it was installed, it came up on DHCP. 192.168.0.1

I used the network manager widget to create its correct static address
192.169.0.100

I made this default.

I rebooted it.

It still came up on 192.168.0.1

I deleted the DHCP entry in the network manager and rebooted it

It now responds on 192.168.0.100
ifconfig says that's what is attached to its Ethernet card

$ ifconfig -a
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::7621:60d3:4849:77b prefixlen 64 scopeid 0x20<link>
ether 00:1c:c0:f2:b2:dc txqueuelen 1000 (Ethernet)
RX packets 40833491 bytes 22268734758 (22.2 GB)
RX errors 0 dropped 272 overruns 0 frame 0
TX packets 59333532 bytes 72323226135 (72.3 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xd3400000-d3420000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1934977 bytes 34420707697 (34.4 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1934977 bytes 34420707697 (34.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

But in my router is the following DHCP record:

--------------------------------------------------------------------------------
Index IP Address MAC Address Leased Time HOST ID
--------------------------------------------------------------------------------
LAN1
1 192.168.0.1 00-1C-C0-F2-B2-DC 13:14:34 cymbeline

That is of course the correct MAC address for it.

If I ping that from another machine I get

shylock$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.791 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=255 time=0.728 ms
64 bytes from 192.168.0.1: icmp_seq=5 ttl=255 time=0.727 ms
64 bytes from 192.168.0.1: icmp_seq=6 ttl=255 time=0.734 ms
64 bytes from 192.168.0.1: icmp_seq=7 ttl=255 time=0.738 ms
64 bytes from 192.168.0.1: icmp_seq=8 ttl=255 time=0.740 ms

which is a bit long....but something is responding

on its correct ip address it responds differently :
shylock$ ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms
64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.263 ms
64 bytes from 192.168.0.100: icmp_seq=4 ttl=64 time=0.368 ms
64 bytes from 192.168.0.100: icmp_seq=5 ttl=64 time=0.348 ms
64 bytes from 192.168.0.100: icmp_seq=6 ttl=64 time=0.293 ms
64 bytes from 192.168.0.100: icmp_seq=7 ttl=64 time=0.414 ms
^C

but it doesn't respond when pinged from the server itself

cymbeline:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
From 192.168.0.100 icmp_seq=1 Destination Host Unreachable
From 192.168.0.100 icmp_seq=2 Destination Host Unreachable
From 192.168.0.100 icmp_seq=3 Destination Host Unreachable
^C

cymbeline:~$ uptime
19:32:56 up 11 days, 57 min, 3 users, load average: 0.82, 0.61, 0.64

shylock$ arp -a
mipifi (192.168.0.200) at b8:27:eb:a6:48:7b [ether] on eth0
? (192.168.0.3) at 90:48:9a:e1:be:65 [ether] on eth0
? (192.168.0.248) at <incomplete> on eth0
? (192.168.0.1) at 00:1c:c0:f2:b2:dc [ether] on eth0
? (192.168.0.254) at 00:1d:aa:79:78:40 [ether] on eth0
? (192.168.0.102) at 3c:a8:2a:f6:3a:c8 [ether] on eth0
cymbeline (192.168.0.100) at 00:1c:c0:f2:b2:dc [ether] on eth0
shaman (192.168.0.105) at <incomplete> on eth0
? (192.168.0.2) at 1c:5a:3e:7e:37:1f [ether] on eth0

If I delete the arp entry for 192.168.0.1 it still reappears when I ping
that IP address

But the server arp cache is littered with machines on addresses that
have never been issued...

cymbeline:~$ arp -a
? (192.168.0.11) at <incomplete> on enp0s25
? (192.168.0.39) at <incomplete> on enp0s25
? (192.168.0.17) at <incomplete> on enp0s25
? (192.168.0.77) at <incomplete> on enp0s25
? (192.168.0.52) at <incomplete> on enp0s25
? (192.168.0.3) at 90:48:9a:e1:be:65 [ether] on enp0s25
? (192.168.0.200) at b8:27:eb:a6:48:7b [ether] on enp0s25
? (192.168.0.2) at 1c:5a:3e:7e:37:1f [ether] on enp0s25
? (192.168.0.93) at <incomplete> on enp0s25
? (192.168.0.19) at <incomplete> on enp0s25
? (192.168.0.195) at <incomplete> on enp0s25
? (192.168.0.18) at <incomplete> on enp0s25
? (192.168.0.5) at 08:62:66:4a:85:d8 [ether] on enp0s25
? (192.168.0.175) at <incomplete> on enp0s25
? (192.168.0.12) at <incomplete> on enp0s25
? (192.168.0.35) at <incomplete> on enp0s25
_gateway (192.168.0.254) at 00:1d:aa:79:78:40 [ether] on enp0s25
? (192.168.0.15) at <incomplete> on enp0s25
? (192.168.0.21) at <incomplete> on enp0s25
? (192.168.0.28) at <incomplete> on enp0s25
? (192.168.0.14) at <incomplete> on enp0s25
? (192.168.0.111) at <incomplete> on enp0s25
? (192.168.0.155) at <incomplete> on enp0s25
? (192.168.0.45) at <incomplete> on enp0s25
? (192.168.0.6) at 5c:51:81:bb:c2:85 [ether] on enp0s25
? (192.168.0.103) at <incomplete> on enp0s25
? (192.168.0.30) at <incomplete> on enp0s25
? (192.168.0.1) at <incomplete> on enp0s25
? (192.168.0.74) at <incomplete> on enp0s25
? (192.168.0.8) at 00:09:df:b7:8e:b9 [ether] on enp0s25
? (192.168.0.119) at <incomplete> on enp0s25

None of the <incomplete> entries here are valid, or should ever have
been used by anything.

What is on the network is as follows:

Shylock desktop DHCP 192.168.0.5 08-62-66-4A-85-D8
Titania wifi connected laptop DHCP 192.168.0.3 90-48-9A-E1-BE-65
Malvolio Android phone via wifi 192.168.0.6 5C-51-81-BB-C2-85
Probably Samsung TV 192.168.0.2 1C-5A-3E-7E-37-1F
Panasonic TV 192.168.0.8 00-09-DF-B7-8E-B9
Raspberry Pi Zero W 192.168.0.200 b8:27:eb:a6:48:7b
Main broadband router/DHCP server 192.168.0.254 00:1d:aa:79:78:40
Netgear POS used as wifi bridge 192.168.0.253 30:46:9a:a2:89:f6
Another wifi access point on 192.168.0.252 74:4d:28:4a:21:82
HP printer on 192.168.0.102 3c:a8:2a:f6:3a:c8

What is happening?

The router is set to clear disused DHCP allocations periodically,
although it seems to take a long old time

In short I seem to be able to ping this IP address from every machine on
the network EXCEPT the server that carries its mac address!

--
How fortunate for governments that the people they administer don't think.

Adolf Hitler

Re: ghost interfaces in the sky

<sm0mts8ok2r.fsf@lakka.kapsi.fi>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5149&group=comp.os.linux.misc#5149

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: as...@sci.fi (Anssi Saari)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Wed, 02 Jun 2021 09:29:48 +0300
Organization: An impatient and LOUD arachnid
Lines: 15
Message-ID: <sm0mts8ok2r.fsf@lakka.kapsi.fi>
References: <s95vd0$98r$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: reader02.eternal-september.org; posting-host="1aacf20a8e8d158f9c68ef5e0e8abc19";
logging-data="19914"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/V7ngu8xA/z1jK5VzFYw/F"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Cancel-Lock: sha1:E1M56UX1YEn63cT6REdtJOqBuW0=
sha1:8pHNa8N5K0tjgOe6n+i51FYo4z8=
 by: Anssi Saari - Wed, 2 Jun 2021 06:29 UTC

The Natural Philosopher <tnp@invalid.invalid> writes:

> $ ifconfig -a
> enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
> inet6 fe80::7621:60d3:4849:77b prefixlen 64 scopeid 0x20<link>
> ether 00:1c:c0:f2:b2:dc txqueuelen 1000 (Ethernet)
> RX packets 40833491 bytes 22268734758 (22.2 GB)
> RX errors 0 dropped 272 overruns 0 frame 0
> TX packets 59333532 bytes 72323226135 (72.3 GB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device interrupt 20 memory 0xd3400000-d3420000

Is it possible this interface has two IP addresses? ifconfig can't show
that but ip addr would.

Re: ghost interfaces in the sky

<s97fe5$qvq$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5151&group=comp.os.linux.misc#5151

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Wed, 2 Jun 2021 09:27:49 +0100
Organization: A little, after lunch
Lines: 45
Message-ID: <s97fe5$qvq$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me> <sm0mts8ok2r.fsf@lakka.kapsi.fi>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 2 Jun 2021 08:27:49 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="ecced72dc09168a6e42dde9ba983abc7";
logging-data="27642"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19dibxOgHkP4BkwkfPI2I/hVIwDdYLxMT0="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:EvrU/8SQccGXoxdH1c5Y2GNQl0E=
In-Reply-To: <sm0mts8ok2r.fsf@lakka.kapsi.fi>
Content-Language: en-GB
 by: The Natural Philosop - Wed, 2 Jun 2021 08:27 UTC

On 02/06/2021 07:29, Anssi Saari wrote:
> The Natural Philosopher <tnp@invalid.invalid> writes:
>
>> $ ifconfig -a
>> enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
>> inet6 fe80::7621:60d3:4849:77b prefixlen 64 scopeid 0x20<link>
>> ether 00:1c:c0:f2:b2:dc txqueuelen 1000 (Ethernet)
>> RX packets 40833491 bytes 22268734758 (22.2 GB)
>> RX errors 0 dropped 272 overruns 0 frame 0
>> TX packets 59333532 bytes 72323226135 (72.3 GB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>> device interrupt 20 memory 0xd3400000-d3420000
>
> Is it possible this interface has two IP addresses? ifconfig can't show
> that but ip addr would.
>

Actually I think ifconfig would but no, ip address just shows the one

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
link/ether 00:1c:c0:f2:b2:dc brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute
enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::7621:60d3:4849:77b/64 scope link noprefixroute
valid_lft forever preferred_lft forever

--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."

Re: ghost interfaces in the sky

<60b76b31$0$3723$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5152&group=comp.os.linux.misc#5152

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!paganini.bofh.team!usenet.pasdenom.info!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed2-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Wed, 2 Jun 2021 13:27:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s95vd0$98r$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 26
Message-ID: <60b76b31$0$3723$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 02 Jun 2021 13:27:45 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622633265 news-3.free.fr 3723 213.41.155.166:38360
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Wed, 2 Jun 2021 11:27 UTC

Le 01/06/2021 à 20:47, The Natural Philosopher a écrit :
> I have a server
> Its name is cymbeline

Physical or virtual machine ?

> If I ping that from another machine I get
>
> shylock$ ping 192.168.0.1
> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
(...)
> which is a bit long....but something is responding
>
> on its correct ip address it responds differently :
> shylock$ ping 192.168.0.100
> PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms

The different times suggest different hosts, maybe different link types
(ethernet vs wireless).

Did you try to unplug the server and see if something still responds at
192.168.0.1 ?

Re: ghost interfaces in the sky

<s97tvd$t97$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5153&group=comp.os.linux.misc#5153

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Wed, 2 Jun 2021 13:35:56 +0100
Organization: A little, after lunch
Lines: 59
Message-ID: <s97tvd$t97$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 2 Jun 2021 12:35:57 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="ecced72dc09168a6e42dde9ba983abc7";
logging-data="29991"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+fELLPQ7QLkilz1Pj57qjww/+KljYBy+I="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:5VFSM6eZm2e5lk5nhYQI5HpbABE=
In-Reply-To: <60b76b31$0$3723$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Wed, 2 Jun 2021 12:35 UTC

On 02/06/2021 12:27, Pascal Hambourg wrote:
> Le 01/06/2021 à 20:47, The Natural Philosopher a écrit :
>> I have a server
>> Its name is cymbeline
>
> Physical or virtual machine ?

Oh. Physical, Pascal

>
>> If I ping that from another machine I get
>>
>> shylock$ ping 192.168.0.1
>> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
>> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
>> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
> (...)
>> which is a bit long....but something is responding
>>
>> on its correct ip address it responds differently :
>> shylock$ ping 192.168.0.100
>> PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
>> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
>> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms
>
> The different times suggest different hosts, maybe different link types
> (ethernet vs wireless).
>
> Did you try to unplug the server and see if something still responds at
> 192.168.0.1 ?

Ah. The only simple thing I didn't try. The ethernet MAC address however
matches that server
....

64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms

unplug...
replug...

64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms

Nope something on that server underneath the hood is responding to pings
on an IP address it doesn't recognise itself...

neither does netstat show any services attached to that ip address

All it appears to do is to respond to pings from other machines and
exist in the router DHCP and other machines arp tables

--
In a Time of Universal Deceit, Telling the Truth Is a Revolutionary Act.

- George Orwell

Re: ghost interfaces in the sky

<prSdne_tgde0GCr9nZ2dnUU7-Q_NnZ2d@giganews.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5154&group=comp.os.linux.misc#5154

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!aioe.org!feeder1.feed.usenet.farm!feed.usenet.farm!tr1.eu1.usenetexpress.com!feeder.usenetexpress.com!tr1.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!buffer1.nntp.dca1.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 02 Jun 2021 08:18:33 -0500
MIME-Version: 1.0
From: hel...@deepsoft.com (Robert Heller)
Organization: Deepwoods Software
X-Newsreader: TkNews 3.0 (1.2.12)
Subject: Re: ghost interfaces in the sky
In-Reply-To: <s97tvd$t97$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>? <60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
Newsgroups: comp.os.linux.misc
Content-Type: text/plain; charset="us-ascii"
Originator: heller@sharky4.deepsoft.com
Message-ID: <prSdne_tgde0GCr9nZ2dnUU7-Q_NnZ2d@giganews.com>
Date: Wed, 02 Jun 2021 08:18:33 -0500
Lines: 67
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-tOepkqeJa90NZNNirULADgya/1STbXtVz80q1dNYrbTMFQGALjLJwadwQuDgvJJwU1CZXyOPN9GuBEe!7pQRHRCuHPj0hHJMmkRvWLyKP0f8OM5Rv8583kWOxQJRQs3IN5G4b7KIsMoADxeJogdVyqxXPyuz!X+Q=
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 3674
 by: Robert Heller - Wed, 2 Jun 2021 13:18 UTC

At Wed, 2 Jun 2021 13:35:56 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:

>
> On 02/06/2021 12:27, Pascal Hambourg wrote:
> > Le 01/06/2021 à 20:47, The Natural Philosopher a écrit :
> >> I have a server
> >> Its name is cymbeline
> >
> > Physical or virtual machine ?
>
> Oh. Physical, Pascal
>
> >
> >> If I ping that from another machine I get
> >>
> >> shylock$ ping 192.168.0.1
> >> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> >> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
> >> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
> > (...)
> >> which is a bit long....but something is responding
> >>
> >> on its correct ip address it responds differently :
> >> shylock$ ping 192.168.0.100
> >> PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
> >> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
> >> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms
> >
> > The different times suggest different hosts, maybe different link types
> > (ethernet vs wireless).
> >
> > Did you try to unplug the server and see if something still responds at
> > 192.168.0.1 ?
>
> Ah. The only simple thing I didn't try. The ethernet MAC address however
> matches that server
> ...
>
> 64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
> 64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
> 64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
> 64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms
>
> unplug...
> replug...
>
> 64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
> 64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
> 64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms
>
> Nope something on that server underneath the hood is responding to pings
> on an IP address it doesn't recognise itself...
>
> neither does netstat show any services attached to that ip address
>
> All it appears to do is to respond to pings from other machines and
> exist in the router DHCP and other machines arp tables
>

Restart the router.

--
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services

Re: ghost interfaces in the sky

<s981vr$os8$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5155&group=comp.os.linux.misc#5155

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Wed, 2 Jun 2021 14:44:26 +0100
Organization: A little, after lunch
Lines: 72
Message-ID: <s981vr$os8$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<prSdne_tgde0GCr9nZ2dnUU7-Q_NnZ2d@giganews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 2 Jun 2021 13:44:27 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="ecced72dc09168a6e42dde9ba983abc7";
logging-data="25480"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+5RoiePkOYRj7LAUK5XsVIY7Ahc7E/gpI="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:+6rlcheyh6bylUV6ZjCF8LyEptY=
In-Reply-To: <prSdne_tgde0GCr9nZ2dnUU7-Q_NnZ2d@giganews.com>
Content-Language: en-GB
 by: The Natural Philosop - Wed, 2 Jun 2021 13:44 UTC

On 02/06/2021 14:18, Robert Heller wrote:
> At Wed, 2 Jun 2021 13:35:56 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:
>
>>
>> On 02/06/2021 12:27, Pascal Hambourg wrote:
>>> Le 01/06/2021 à 20:47, The Natural Philosopher a écrit :
>>>> I have a server
>>>> Its name is cymbeline
>>>
>>> Physical or virtual machine ?
>>
>> Oh. Physical, Pascal
>>
>>>
>>>> If I ping that from another machine I get
>>>>
>>>> shylock$ ping 192.168.0.1
>>>> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
>>>> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
>>>> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
>>> (...)
>>>> which is a bit long....but something is responding
>>>>
>>>> on its correct ip address it responds differently :
>>>> shylock$ ping 192.168.0.100
>>>> PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
>>>> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
>>>> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms
>>>
>>> The different times suggest different hosts, maybe different link types
>>> (ethernet vs wireless).
>>>
>>> Did you try to unplug the server and see if something still responds at
>>> 192.168.0.1 ?
>>
>> Ah. The only simple thing I didn't try. The ethernet MAC address however
>> matches that server
>> ...
>>
>> 64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
>> 64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
>> 64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
>> 64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms
>>
>> unplug...
>> replug...
>>
>> 64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
>> 64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
>> 64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms
>>
>> Nope something on that server underneath the hood is responding to pings
>> on an IP address it doesn't recognise itself...
>>
>> neither does netstat show any services attached to that ip address
>>
>> All it appears to do is to respond to pings from other machines and
>> exist in the router DHCP and other machines arp tables
>>
>
> Restart the router.
>
.....
....
cleared the dhcp table but server still responds to pings on ghost
interface....

--
A lie can travel halfway around the world while the truth is putting on
its shoes.

Re: ghost interfaces in the sky

<ipqdnbc8XuGNOir9nZ2dnUU7-N3NnZ2d@giganews.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5156&group=comp.os.linux.misc#5156

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.uzoreto.com!tr2.eu1.usenetexpress.com!feeder.usenetexpress.com!tr3.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!buffer1.nntp.dca1.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 02 Jun 2021 10:43:12 -0500
MIME-Version: 1.0
From: hel...@deepsoft.com (Robert Heller)
Organization: Deepwoods Software
X-Newsreader: TkNews 3.0 (1.2.12)
Subject: Re: ghost interfaces in the sky
In-Reply-To: <s981vr$os8$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>? <60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>? <prSdne_tgde0GCr9nZ2dnUU7-Q_NnZ2d@giganews.com> <s981vr$os8$1@dont-email.me>
Newsgroups: comp.os.linux.misc
Content-Type: text/plain; charset="us-ascii"
Originator: heller@sharky4.deepsoft.com
Message-ID: <ipqdnbc8XuGNOir9nZ2dnUU7-N3NnZ2d@giganews.com>
Date: Wed, 02 Jun 2021 10:43:12 -0500
Lines: 82
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-SCNdHARiHAGFsaT2E16vYivbRa02Uk1M5h8JyRDQIjqv6lYDzRP553VR4e1vQtHd6GgyfouL2LwrUz5!KVj2H35E4e5kO/F4DHlBBklXl+0TdzmiUem5R+cCii43rXdLVlzc0W7IDMrPUKUy8PWiEp4bVReO!oC0=
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 4331
 by: Robert Heller - Wed, 2 Jun 2021 15:43 UTC

At Wed, 2 Jun 2021 14:44:26 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:

>
> On 02/06/2021 14:18, Robert Heller wrote:
> > At Wed, 2 Jun 2021 13:35:56 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:
> >
> >>
> >> On 02/06/2021 12:27, Pascal Hambourg wrote:
> >>> Le 01/06/2021 à 20:47, The Natural Philosopher a écrit :
> >>>> I have a server
> >>>> Its name is cymbeline
> >>>
> >>> Physical or virtual machine ?
> >>
> >> Oh. Physical, Pascal
> >>
> >>>
> >>>> If I ping that from another machine I get
> >>>>
> >>>> shylock$ ping 192.168.0.1
> >>>> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> >>>> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
> >>>> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
> >>> (...)
> >>>> which is a bit long....but something is responding
> >>>>
> >>>> on its correct ip address it responds differently :
> >>>> shylock$ ping 192.168.0.100
> >>>> PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
> >>>> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
> >>>> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms
> >>>
> >>> The different times suggest different hosts, maybe different link types
> >>> (ethernet vs wireless).
> >>>
> >>> Did you try to unplug the server and see if something still responds at
> >>> 192.168.0.1 ?
> >>
> >> Ah. The only simple thing I didn't try. The ethernet MAC address however
> >> matches that server
> >> ...
> >>
> >> 64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
> >> 64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
> >> 64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
> >> 64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms
> >>
> >> unplug...
> >> replug...
> >>
> >> 64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
> >> 64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
> >> 64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms
> >>
> >> Nope something on that server underneath the hood is responding to pings
> >> on an IP address it doesn't recognise itself...
> >>
> >> neither does netstat show any services attached to that ip address
> >>
> >> All it appears to do is to respond to pings from other machines and
> >> exist in the router DHCP and other machines arp tables
> >>
> >
> > Restart the router.
> >
> ....
> ...
> cleared the dhcp table but server still responds to pings on ghost
> interface....

Can you ssh into the ghost interface? Does that identify what machine it is?

>
>
>

--
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services

Re: ghost interfaces in the sky

<60b7c3f7$0$3711$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5157&group=comp.os.linux.misc#5157

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.niel.me!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Wed, 2 Jun 2021 19:46:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s97tvd$t97$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 37
Message-ID: <60b7c3f7$0$3711$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 02 Jun 2021 19:46:31 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622655991 news-3.free.fr 3711 213.41.155.166:39728
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Wed, 2 Jun 2021 17:46 UTC

Le 02/06/2021 à 14:35, The Natural Philosopher a écrit :
> On 02/06/2021 12:27, Pascal Hambourg wrote:
>>
>> Did you try to unplug the server and see if something still responds
>> at 192.168.0.1 ?
>
> Ah. The only simple thing I didn't try. The ethernet MAC address however
> matches that server
> ...
>
> 64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
> 64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
> 64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
> 64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms
>
> unplug...
> replug...
>
> 64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
> 64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
> 64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms

So it is probably in the server.
Causes I can think of :
- iptables DNAT , but that would not explain the ARP
- an entry in the local routing table (ip route ls table local), but
ping from the server would work
- Management Engine, Active Management Technology or the like
- some kind of virtual machine
- some kind of rootkit

Tests I can think of :
Run a packet capture on the ethernet interface and see if this traffic
is visible.
Bring the ethernet interface down and see if it still responds.
Stop the operating system without power off (or reboot and stop in the
boot loader) and see if it still responds.

Re: ghost interfaces in the sky

<s99mes$8na$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5158&group=comp.os.linux.misc#5158

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!rocksolid2!news.neodome.net!weretis.net!feeder8.news.weretis.net!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 05:39:55 +0100
Organization: A little, after lunch
Lines: 94
Message-ID: <s99mes$8na$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<prSdne_tgde0GCr9nZ2dnUU7-Q_NnZ2d@giganews.com> <s981vr$os8$1@dont-email.me>
<ipqdnbc8XuGNOir9nZ2dnUU7-N3NnZ2d@giganews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 04:39:56 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="8938"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18/KNZERV1ETy4h1svgzF/J9hNo45yJCpM="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:8wf7Yed7jMi12UVAPy0PoEmRoq4=
In-Reply-To: <ipqdnbc8XuGNOir9nZ2dnUU7-N3NnZ2d@giganews.com>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 04:39 UTC

On 02/06/2021 16:43, Robert Heller wrote:
> At Wed, 2 Jun 2021 14:44:26 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:
>
>>
>> On 02/06/2021 14:18, Robert Heller wrote:
>>> At Wed, 2 Jun 2021 13:35:56 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:
>>>
>>>>
>>>> On 02/06/2021 12:27, Pascal Hambourg wrote:
>>>>> Le 01/06/2021 à 20:47, The Natural Philosopher a écrit :
>>>>>> I have a server
>>>>>> Its name is cymbeline
>>>>>
>>>>> Physical or virtual machine ?
>>>>
>>>> Oh. Physical, Pascal
>>>>
>>>>>
>>>>>> If I ping that from another machine I get
>>>>>>
>>>>>> shylock$ ping 192.168.0.1
>>>>>> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
>>>>>> 64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.801 ms
>>>>>> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.737 ms
>>>>> (...)
>>>>>> which is a bit long....but something is responding
>>>>>>
>>>>>> on its correct ip address it responds differently :
>>>>>> shylock$ ping 192.168.0.100
>>>>>> PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
>>>>>> 64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.231 ms
>>>>>> 64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.232 ms
>>>>>
>>>>> The different times suggest different hosts, maybe different link types
>>>>> (ethernet vs wireless).
>>>>>
>>>>> Did you try to unplug the server and see if something still responds at
>>>>> 192.168.0.1 ?
>>>>
>>>> Ah. The only simple thing I didn't try. The ethernet MAC address however
>>>> matches that server
>>>> ...
>>>>
>>>> 64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
>>>> 64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
>>>> 64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
>>>> 64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms
>>>>
>>>> unplug...
>>>> replug...
>>>>
>>>> 64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
>>>> 64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
>>>> 64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms
>>>>
>>>> Nope something on that server underneath the hood is responding to pings
>>>> on an IP address it doesn't recognise itself...
>>>>
>>>> neither does netstat show any services attached to that ip address
>>>>
>>>> All it appears to do is to respond to pings from other machines and
>>>> exist in the router DHCP and other machines arp tables
>>>>
>>>
>>> Restart the router.
>>>
>> ....
>> ...
>> cleared the dhcp table but server still responds to pings on ghost
>> interface....
>
> Can you ssh into the ghost interface? Does that identify what machine it is?
>
nope.
no services seem to run on it.
It responds to ICMP echoes originating from *other machines*, but not
itself.
It appears in arp tables on other machines
it appears in the router DHCP table. - it has in fact reappeared since
yesterdays router reboot.
Its MAC address in those tables is the same Mac address as the server.

But that is it

Probably all about systemd :-)

>>
>>
>>
>

--
Climate Change: Socialism wearing a lab coat.

Re: ghost interfaces in the sky

<s99nvt$fs0$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5159&group=comp.os.linux.misc#5159

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 06:06:05 +0100
Organization: A little, after lunch
Lines: 116
Message-ID: <s99nvt$fs0$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 05:06:05 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="16256"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18oCwqUZAzxAfV5Yv//fQFt7CWfOKPI4YA="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:Dl1vq7aAnZET5XfON1mzWDaq98Q=
In-Reply-To: <60b7c3f7$0$3711$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 05:06 UTC

On 02/06/2021 18:46, Pascal Hambourg wrote:
> Le 02/06/2021 à 14:35, The Natural Philosopher a écrit :
>> On 02/06/2021 12:27, Pascal Hambourg wrote:
>>>
>>> Did you try to unplug the server and see if something still responds
>>> at 192.168.0.1 ?
>>
>> Ah. The only simple thing I didn't try. The ethernet MAC address
>> however matches that server
>> ...
>>
>> 64 bytes from 192.168.0.1: icmp_seq=73 ttl=255 time=0.735 ms
>> 64 bytes from 192.168.0.1: icmp_seq=74 ttl=255 time=0.729 ms
>> 64 bytes from 192.168.0.1: icmp_seq=75 ttl=255 time=0.725 ms
>> 64 bytes from 192.168.0.1: icmp_seq=76 ttl=255 time=0.775 ms
>>
>> unplug...
>> replug...
>>
>> 64 bytes from 192.168.0.1: icmp_seq=121 ttl=255 time=3.00 ms
>> 64 bytes from 192.168.0.1: icmp_seq=122 ttl=255 time=0.765 ms
>> 64 bytes from 192.168.0.1: icmp_seq=123 ttl=255 time=0.789 ms
>
> So it is probably in the server.
I think so

> Causes I can think of :
> - iptables DNAT , but that would not explain the ARP
iptables not configutred - This is a fairly new installation - weeks
only as the upgrade failed. ISTR this issue existed before the upgraded,
and in fact has existed for years. Filred under 'weird. but works so...'
> - an entry in the local routing table (ip route ls table local), but
> ping from the server would work
$ ip route
default via 192.168.0.254 dev enp0s25 proto static metric 100
169.254.0.0/16 dev enp0s25 scope link metric 1000
192.168.0.0/24 dev enp0s25 proto kernel scope link src 192.168.0.100
metric 100

> - Management Engine, Active Management Technology or the like

no ideas what those are....

> - some kind of virtual machine

certainly I haven't installed such.
Only custom 'server' code is tvheadend and minidlna...its a media server
as well....

> - some kind of rootkit

That is faintly possible, but it's fairly well protected. there is a
public https exposed to the internet. Of course its running the most
nasty rootkit of them all - systemd...:-)

>
> Tests I can think of :
> Run a packet capture on the ethernet interface and see if this traffic
> is visible.

what's the command for that? That was my next thought too but its so
longs since I have done that i have actually forgotten.

> Bring the ethernet interface down and see if it still responds.

likewise cant remember

> Stop the operating system without power off (or reboot and stop in the
> boot loader) and see if it still responds.

that's a bit too brutal - don't like rebooting that - it requires a lot
of other kit to be taken down for safety's sake

No. I think that there is something else going on like a bug in the dhcp
client or possibly systemd that half brings up the interface, on boot,
but doesn't complete the job.

I didn't show the contents of the nm config files but this is the one...

more /etc/NetworkManager/system-connections/Wired connection 1.nmconnection

[connection]
id=Fixed IP
uuid=e7219850-4e33-370e-8fdb-cff8f65326e1
type=ethernet
autoconnect-priority=-999
interface-name=enp0s25
permissions=
timestamp=1619516963

[ethernet]
mac-address-blacklist=

[ipv4]
address1=192.168.0.100/24,192.168.0.254
dns=127.0.0.1;212.69.36.23;
dns-search=
may-fail=false
method=manual

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

[proxy]

--
“But what a weak barrier is truth when it stands in the way of an
hypothesis!”

Mary Wollstonecraft

Re: ghost interfaces in the sky

<60b881a5$0$6189$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5160&group=comp.os.linux.misc#5160

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!cleanfeed3-a.proxad.net!nnrp1-2.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Thu, 3 Jun 2021 09:15:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s99nvt$fs0$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 38
Message-ID: <60b881a5$0$6189$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 03 Jun 2021 09:15:49 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622704549 news-3.free.fr 6189 213.41.155.166:52436
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Thu, 3 Jun 2021 07:15 UTC

Le 03/06/2021 à 07:06, The Natural Philosopher a écrit :
> On 02/06/2021 18:46, Pascal Hambourg wrote:
>> - an entry in the local routing table (ip route ls table local), but
>> ping from the server would work
> $ ip route

"ip route" alone only shows the main routing table, which contains only
remote destinations. Use the command I provided to show the local
routing table.

>> - Management Engine, Active Management Technology or the like
>
> no ideas what those are....

A management system embedded in the hardware. Wikpedia is your friend.

I also thought about network namespaces (which I know very little about)
but it seems that a network interface cannot be shared between namespaces.

>> Tests I can think of :
>> Run a packet capture on the ethernet interface and see if this traffic
>> is visible.
>
> what's the command for that? That was my next thought too but its so
> longs since I have done that i have actually forgotten.

For example with tcpdump :
# tcpdump -nei enp0s25 arp or ip and host 192.168.0.1

>> Bring the ethernet interface down and see if it still responds.
>
> likewise cant remember

# ip link set enp0s25 down

Not sure how NetworkManager will react though. Maybe it is better to
stop the interface with nmcli or the GUI but I don't know how to do this.

Re: ghost interfaces in the sky

<s9a2sj$9uk$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5161&group=comp.os.linux.misc#5161

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 09:12:02 +0100
Organization: A little, after lunch
Lines: 136
Message-ID: <s9a2sj$9uk$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 08:12:03 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="10196"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+d8WbgzLW3DV0dZKbmhmTB4uRt0b30pzk="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:txSOcF8qwKrBfOGWPKlwOmH6Pkc=
In-Reply-To: <60b7c3f7$0$3711$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 08:12 UTC

On 02/06/2021 18:46, Pascal Hambourg wrote:
> Tests I can think of :
> Run a packet capture on the ethernet interface and see if this traffic
> is visible.
Well, Pascal, this gets weirder.

It's seeing the traffic to 192.168.0.1:any = which is reasonable since
the traffic has its MAC address as corresponding so the ethernet switch
will route it there - but its not responding!

So WTF is?

Its as if there is a virtual interface with another name than
enp0s25...that tcpdump aint seeing...

I've tried rebooting the 100Mbps switch. No difference

# tcpdump -vv --interface=any icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1),
capture size 262144 bytes
06:49:30.029548 IP (tos 0x0, ttl 64, id 62895, offset 0, flags [DF],
proto ICMP (1), length 84)
192.168.0.5 > 192.168.0.1: ICMP echo request, id 14398, seq 1,
length 64
06:49:31.029909 IP (tos 0x0, ttl 64, id 63048, offset 0, flags [DF],
proto ICMP (1), length 84)
192.168.0.5 > 192.168.0.1: ICMP echo request, id 14398, seq 2,
length 64
06:49:32.029955 IP (tos 0x0, ttl 64, id 63197, offset 0, flags [DF],
proto ICMP (1), length 84)
192.168.0.5 > 192.168.0.1: ICMP echo request, id 14398, seq 3,
length 64
06:49:33.030085 IP (tos 0x0, ttl 64, id 63361, offset 0, flags [DF],
proto ICMP (1), length 84)
192.168.0.5 > 192.168.0.1: ICMP echo request, id 14398, seq 4,
length 64
06:49:51.088078 IP (tos 0x0, ttl 64, id 14931, offset 0, flags [DF],
proto ICMP (1), length 84)

then (correct address)

192.168.0.5 > cymbeline: ICMP echo request, id 14399, seq 1, length 64
06:49:51.088115 IP (tos 0x0, ttl 64, id 22498, offset 0, flags [none],
proto ICMP (1), length 84)
cymbeline > 192.168.0.5: ICMP echo reply, id 14399, seq 1, length 64
06:49:52.087261 IP (tos 0x0, ttl 64, id 15047, offset 0, flags [DF],
proto ICMP (1), length 84)
192.168.0.5 > cymbeline: ICMP echo request, id 14399, seq 2, length 64
06:49:52.087304 IP (tos 0x0, ttl 64, id 22535, offset 0, flags [none],
proto ICMP (1), length 84)
cymbeline > 192.168.0.5: ICMP echo reply, id 14399, seq 2, length 64
06:49:53.086128 IP (tos 0x0, ttl 64, id 15069, offset 0, flags [DF],
proto ICMP (1), length 84)
192.168.0.5 > cymbeline: ICMP echo request, id 14399, seq 3, length 64
06:49:53.086171 IP (tos 0x0, ttl 64, id 22598, offset 0, flags [none],
proto ICMP (1), length 84)
cymbeline > 192.168.0.5: ICMP echo reply, id 14399, seq 3, length 64

And yet something is responding...

xxx@shylock ~/Desktop $ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.730 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.777 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.823 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=255 time=0.743 ms
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.730/0.768/0.823/0.040 ms
xxx@shylock ~/Desktop $ ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.260 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.417 ms
64 bytes from 192.168.0.100: icmp_seq=3 ttl=64 time=0.283 ms
^C
--- 192.168.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.260/0.320/0.417/0.069 ms

The odd thing is that the *correct* IP response is ~half the delay...
and the TTL is set differently on the 'ghost'

only the router and the printer normally set 255 ttls - everything else
seems to be 64..

network is 100MBps switched by and large plus wifi on laptop, Pi zero W
and android phone.

later:

I had to reboot the server after a kernel upgrade.

During the reboot 192.168.0.1 *was still responding*. even when the
'correct' interface was not. I wasn't quick enough to catch it pre boot
sequence starting tho

The only way to stop it is to physically unplug the server Ethernet.

Weirder still the server has come up OK on the right address except it
says that 'network manager is disabled'

So to summarise.

1/. It seems the ghost interface is tightly linked to the servers
ethernet. Has the same MAC address. disappears if ethernet to that
machine is unplugged
2/. However it responds to pings with a different TTL than the normal
interface.
3/. It periodically seems to request DHCP updates.
4/. Apart from responding to arp and ICMP requests and DHCP responses it
seems to have no services attached at all.
5/. It seems to exist before the main interface (enp0s25) is up
6/. It seems to want DHCP quite often. After I rebooted the server I
switched the router off, then on. It is now the only thing IN the DHCP
table.
7/. nmap reveals no open tcp or udp ports (below 1000)
8/. I am beginning to see the idiot Poettering grinning at me. The only
daemon running, now network manager is not, is
/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers

From what I can glean files in there still want to use DHCP, But its an
almost undocumented configuration mess worthy of a bureaucrat.
I am thinking that systemd is creating this interface before whatever it
is that DOES create the correct one, creates THAT

anyone know their way round systemd conf files for networking?

--
“Puritanism: The haunting fear that someone, somewhere, may be happy.”

H.L. Mencken, A Mencken Chrestomathy

Re: ghost interfaces in the sky

<s9a38h$c4t$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5162&group=comp.os.linux.misc#5162

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 09:18:24 +0100
Organization: A little, after lunch
Lines: 60
Message-ID: <s9a38h$c4t$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 08:18:25 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="12445"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18yCIXnBHX4iaTeQam1Nlb7wZUZcqd7xAY="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:hPqOL/KSTZLcKbdyK5RMbrXYWZs=
In-Reply-To: <60b881a5$0$6189$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 08:18 UTC

On 03/06/2021 08:15, Pascal Hambourg wrote:
> Le 03/06/2021 à 07:06, The Natural Philosopher a écrit :
>> On 02/06/2021 18:46, Pascal Hambourg wrote:
>>> - an entry in the local routing table (ip route ls table local), but
>>> ping from the server would work
>> $ ip route
>
> "ip route" alone only shows the main routing table, which contains only
> remote destinations. Use the command I provided to show the local
> routing table.
>
I don't recall you actually provioding such?

>>> - Management Engine, Active Management Technology or the like
>>
>> no ideas what those are....
>
> A management system embedded in the hardware. Wikpedia is your friend.

Mmm. Something at board BIOS level perhaps? Its a very OLD board

inxi -M
Machine: Type: Desktop Mobo: Intel model: DG43GT v: AAE62768-300
serial: BTGT93200534 BIOS: Intel
v: GTG4310H.86A.0035.2010.1006.1525 date: 10/06/2010
>
> I also thought about network namespaces (which I know very little about)
> but it seems that a network interface cannot be shared between namespaces.
>
>>> Tests I can think of :
>>> Run a packet capture on the ethernet interface and see if this
>>> traffic is visible.
>>
>> what's the command for that? That was my next thought too but its so
>> longs since I have done that i have actually forgotten.
>
>
> For example with tcpdump :
> # tcpdump -nei enp0s25 arp or ip and host 192.168.0.1
>
>>> Bring the ethernet interface down and see if it still responds.
>>
>> likewise cant remember
>
> # ip link set enp0s25 down
>
> Not sure how NetworkManager will react though. Maybe it is better to
> stop the interface with nmcli or the GUI but I don't know how to do this.

Things have moved on a bit - see later post
tcpdump patently doesn't find the interface that is responding. So I
doubt that downing the correct ethernet interface would affect it

--
“The fundamental cause of the trouble in the modern world today is that
the stupid are cocksure while the intelligent are full of doubt."

- Bertrand Russell

Re: ghost interfaces in the sky

<60b896d8$0$6188$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5163&group=comp.os.linux.misc#5163

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!cleanfeed2-a.proxad.net!nnrp1-2.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Thu, 3 Jun 2021 10:46:15 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s9a38h$c4t$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 33
Message-ID: <60b896d8$0$6188$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 03 Jun 2021 10:46:16 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622709976 news-3.free.fr 6188 213.41.155.166:52478
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Thu, 3 Jun 2021 08:46 UTC

Le 03/06/2021 à 10:18, The Natural Philosopher a écrit :
> On 03/06/2021 08:15, Pascal Hambourg wrote:
>> Le 03/06/2021 à 07:06, The Natural Philosopher a écrit :
>>> On 02/06/2021 18:46, Pascal Hambourg wrote:
>>>> - an entry in the local routing table (ip route ls table local), but
here ^^^^^^^^^^^^^^^^^^^^^^^

>>>> ping from the server would work
>>> $ ip route
>>
>> "ip route" alone only shows the main routing table, which contains
>> only remote destinations. Use the command I provided to show the local
>> routing table.
>>
> I don't recall you actually provioding such?

See above.

>>>> - Management Engine, Active Management Technology or the like
>>>
>>> no ideas what those are....
>>
>> A management system embedded in the hardware. Wikpedia is your friend.
>
> Mmm. Something at board BIOS level perhaps?

Even lower level. Seems to be embedded in the chipset or CPU. May be
disabled by BIOS settings.

> tcpdump patently doesn't find the interface that is responding. So I
> doubt that downing the correct ethernet interface would affect it

I expect not, but either result will provide information.

Re: ghost interfaces in the sky

<s9abeq$oh$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5164&group=comp.os.linux.misc#5164

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 11:38:18 +0100
Organization: A little, after lunch
Lines: 22
Message-ID: <s9abeq$oh$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 10:38:18 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="785"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1991KwtsslnRCJ3XTAQu2XZAySDth27q94="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:cUQLEzCaIPURBKKVSy4jpExAOP8=
In-Reply-To: <60b896d8$0$6188$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 10:38 UTC

On 03/06/2021 09:46, Pascal Hambourg wrote:
> ip route ls table local

ip route ls table local
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev enp0s25 proto kernel scope link src 192.168.0.100
local 192.168.0.100 dev enp0s25 proto kernel scope host src 192.168.0.100
broadcast 192.168.0.255 dev enp0s25 proto kernel scope link src
192.168.0.100

--
“People believe certain stories because everyone important tells them,
and people tell those stories because everyone important believes them.
Indeed, when a conventional wisdom is at its fullest strength, one’s
agreement with that conventional wisdom becomes almost a litmus test of
one’s suitability to be taken seriously.”

Paul Krugman

Re: ghost interfaces in the sky

<60b8b5a0$0$6462$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5165&group=comp.os.linux.misc#5165

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.nntp4.net!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed2-b.proxad.net!nnrp4-2.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr> <s9abeq$oh$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Thu, 3 Jun 2021 12:57:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s9abeq$oh$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 10
Message-ID: <60b8b5a0$0$6462$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 03 Jun 2021 12:57:36 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622717856 news-2.free.fr 6462 213.41.155.166:45362
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Thu, 3 Jun 2021 10:57 UTC

Le 03/06/2021 à 12:38, The Natural Philosopher a écrit :
>
> ip route ls table local
> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
> local 192.168.0.100 dev enp0s25 proto kernel scope host src 192.168.0.100
(broadcast entries removed for clarity)

192.168.0.1 is not listed so it is not considered as a local address by
the kernel, which confirms other observations.

Re: ghost interfaces in the sky

<s9ad26$bv6$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5166&group=comp.os.linux.misc#5166

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 12:05:41 +0100
Organization: A little, after lunch
Lines: 45
Message-ID: <s9ad26$bv6$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 11:05:42 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="12262"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/MEpR9YDF+vC+Y7pUHIik7LxIe6Lk4LGI="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:GrBnjzkqbXrweYmp73CjnkTBHA4=
In-Reply-To: <60b896d8$0$6188$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 11:05 UTC

On 03/06/2021 09:46, Pascal Hambourg wrote:
>
>>>>> - Management Engine, Active Management Technology or the like
>>>>
>>>> no ideas what those are....
>>>
>>> A management system embedded in the hardware. Wikpedia is your friend.
>>
>> Mmm. Something at board BIOS level perhaps?
>
> Even lower level. Seems to be embedded in the chipset or CPU. May be
> disabled by BIOS settings.
>
surely if it existed dozens of people would have seen this issue? It
would be well known and well documented.

>> tcpdump patently doesn't find the interface that is responding. So I
>> doubt that downing the correct ethernet interface would affect it
>
> I expect not, but either result will provide information.
Ok

Well that was a bit of a bombshell. 'ifconfig enps025 down' shut it
down, *but not the ghost interface*.

Unfortunately 'ifconfig enps025 up' didn't seem to fully restore it
So rebooted.

THIS time network manager is 'up and running'

As is the ghost interface :-)

--
“I know that most men, including those at ease with problems of the
greatest complexity, can seldom accept even the simplest and most
obvious truth if it be such as would oblige them to admit the falsity of
conclusions which they have delighted in explaining to colleagues, which
they have proudly taught to others, and which they have woven, thread by
thread, into the fabric of their lives.”

― Leo Tolstoy

Re: ghost interfaces in the sky

<60b8bfd6$0$6484$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5167&group=comp.os.linux.misc#5167

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.nntp4.net!news.gegeweb.eu!gegeweb.org!fdn.fr!proxad.net!feeder1-2.proxad.net!cleanfeed3-a.proxad.net!nnrp4-2.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr> <s9ad26$bv6$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Thu, 3 Jun 2021 13:41:09 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s9ad26$bv6$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 30
Message-ID: <60b8bfd6$0$6484$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 03 Jun 2021 13:41:10 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622720470 news-4.free.fr 6484 213.41.155.166:42876
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Thu, 3 Jun 2021 11:41 UTC

Le 03/06/2021 à 13:05, The Natural Philosopher a écrit :
> On 03/06/2021 09:46, Pascal Hambourg wrote:
>>
>>>>>> - Management Engine, Active Management Technology or the like
>>>>>
>>>>> no ideas what those are....
>>>>
>>>> A management system embedded in the hardware. Wikpedia is your friend.
>>>
>>> Mmm. Something at board BIOS level perhaps?
>>
>> Even lower level. Seems to be embedded in the chipset or CPU. May be
>> disabled by BIOS settings.
>>
> surely if it existed dozens of people would have seen this issue? It
> would be well known and well documented.
>
> Well that was a bit of a bombshell. 'ifconfig enps025  down' shut it
> down, *but not the ghost interface*.

As I expected. So it is either buried deep in the kernel, or in the
hardware, or in some kind of hypervisor loaded before the kernel (like
Xen), but not in any userland process (including systemd). To check
whether it is in the hardware, boot without loading the OS (press <esc>
at the GRUB menu for instance).

> Unfortunately 'ifconfig enps025  up' didn't seem to fully restore it
> So rebooted.

You could have just restarted NetworkManager.

Re: ghost interfaces in the sky

<s9ag8t$2r6$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5168&group=comp.os.linux.misc#5168

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 13:00:28 +0100
Organization: A little, after lunch
Lines: 51
Message-ID: <s9ag8t$2r6$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr> <s9abeq$oh$1@dont-email.me>
<60b8b5a0$0$6462$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 12:00:29 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="2918"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19xUJJBhHVc4+eyDbsXirQXj0vjI04YskA="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:5n3RAy031L7jipHn03Z3gnH/WAw=
In-Reply-To: <60b8b5a0$0$6462$426a74cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 12:00 UTC

On 03/06/2021 11:57, Pascal Hambourg wrote:
> Le 03/06/2021 à 12:38, The Natural Philosopher a écrit :
>>
>> ip route ls table local
>> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
>> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
>> local 192.168.0.100 dev enp0s25 proto kernel scope host src 192.168.0.100
> (broadcast entries removed for clarity)
>
> 192.168.0.1 is not listed so it is not considered as a local address by
>  the kernel, which confirms other observations.

Yes. it behaves as a little empire all on its own snuggled inside the
linux machine as a whole.

Sort of Liechtenstein :-)

So: to summarise
It appears to be absolutely associated with that server hardware
It exists outside of *normal* linux networking on that hardware
It appears to do nothing except respond to pings and issue DHCP client
commands. There are, for example no NAT sessions on the router with that
source address...
It persists between reboots
It comes up before normal networking does, on that hardware

The oddest thing to date however is that the *server itself* reports
'Destination Host Unreachable'

PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
From 192.168.0.100 icmp_seq=1 Destination Host Unreachable

So it MUST know *something* about that interface/IP address that tells
it it 'cannot be reached'.

Which seems to rule out something below the linux level *completely*.

Also it appears as 'cymbeline' in the dhcp tables which is a linux level
name. And must be being passed as part of the DHCP request

I know I am totally bigoted, but my money is on systemd...

I am letting tcpdump on two machines try and trap the DHCP requests

--
"Strange as it seems, no amount of learning can cure stupidity, and
higher education positively fortifies it."

- Stephen Vizinczey

Re: ghost interfaces in the sky

<s9ahva$f8b$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5169&group=comp.os.linux.misc#5169

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: tnp...@invalid.invalid (The Natural Philosopher)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 13:29:29 +0100
Organization: A little, after lunch
Lines: 50
Message-ID: <s9ahva$f8b$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr> <s9ad26$bv6$1@dont-email.me>
<60b8bfd6$0$6484$426a34cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 12:29:30 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="c47828729e2527da1d40555b36b8815a";
logging-data="15627"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19JFezsjxjVkGa/NDNo9K81pklnxpBNYk0="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
Cancel-Lock: sha1:0Bk32Eg4SaAFJjvAQ96reDLWpp4=
In-Reply-To: <60b8bfd6$0$6484$426a34cc@news.free.fr>
Content-Language: en-GB
 by: The Natural Philosop - Thu, 3 Jun 2021 12:29 UTC

On 03/06/2021 12:41, Pascal Hambourg wrote:
> Le 03/06/2021 à 13:05, The Natural Philosopher a écrit :
>> On 03/06/2021 09:46, Pascal Hambourg wrote:
>>>
>>>>>>> - Management Engine, Active Management Technology or the like
>>>>>>
>>>>>> no ideas what those are....
>>>>>
>>>>> A management system embedded in the hardware. Wikpedia is your friend.
>>>>
>>>> Mmm. Something at board BIOS level perhaps?
>>>
>>> Even lower level. Seems to be embedded in the chipset or CPU. May be
>>> disabled by BIOS settings.
>>>
>> surely if it existed dozens of people would have seen this issue? It
>> would be well known and well documented.
>>
>> Well that was a bit of a bombshell. 'ifconfig enps025  down' shut it
>> down, *but not the ghost interface*.
>
> As I expected. So it is either buried deep in the kernel, or in the
> hardware, or in some kind of hypervisor loaded before the kernel (like
> Xen), but not in any userland process (including systemd). To check
> whether it is in the hardware, boot without loading the OS (press <esc>
> at the GRUB menu for instance).
>
>> Unfortunately 'ifconfig enps025  up' didn't seem to fully restore it
>> So rebooted.
>
> You could have just restarted NetworkManager.

Well network manager said it was there but 'disabled'.

Well the interface said it was up, and it could ping itself, but *this*
machine was locked up because NFS wasn't working, so I rebooted the
(nfs) server machine , made a cup of coffee and when I got back this
machine had unlocked itself.

As I say elsewhere, beginning to zero in on where this is happening.
largely due to your helpful suggestions - So thanks for that.

tcpdump is now recording DHCP broadcast traffic and is working as its
picked up a couple of transactions already

--
There is nothing a fleet of dispatchable nuclear power plants cannot do
that cannot be done worse and more expensively and with higher carbon
emissions and more adverse environmental impact by adding intermittent
renewable energy.

Re: ghost interfaces in the sky

<jJOdnRswpZJ8SCX9nZ2dnUU78dPNnZ2d@giganews.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5170&group=comp.os.linux.misc#5170

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!border1.nntp.ams1.giganews.com!nntp.giganews.com!buffer1.nntp.ams1.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Thu, 03 Jun 2021 08:15:13 -0500
MIME-Version: 1.0
From: hel...@deepsoft.com (Robert Heller)
Organization: Deepwoods Software
X-Newsreader: TkNews 3.0 (1.2.12)
Subject: Re: ghost interfaces in the sky
In-Reply-To: <s9ag8t$2r6$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>?
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>?
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>?
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>?
<60b896d8$0$6188$426a74cc@news.free.fr> <s9abeq$oh$1@dont-email.me>?
<60b8b5a0$0$6462$426a74cc@news.free.fr> <s9ag8t$2r6$1@dont-email.me>
Newsgroups: comp.os.linux.misc
Content-Type: text/plain;
charset="us-ascii"
Originator: heller@sharky4.deepsoft.com
Message-ID: <jJOdnRswpZJ8SCX9nZ2dnUU78dPNnZ2d@giganews.com>
Date: Thu, 03 Jun 2021 08:15:13 -0500
Lines: 77
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-m2uV57FoMF7QsdJ2hba/Et+zW6gEnMjhfrxltc98OXdQpmJjSul6keAqiJH4z42JC4M+4UM1Rjwt0bH!wzHGpCaorhdgS8/SX1N3/9URByjBcKjN4GQ+WlLZqcIVS1Ppycoe1ZwEfxVmGraIe8AbsFKZoh6d!mbM=
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 4712
 by: Robert Heller - Thu, 3 Jun 2021 13:15 UTC

At Thu, 3 Jun 2021 13:00:28 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:

>
> On 03/06/2021 11:57, Pascal Hambourg wrote:
> > Le 03/06/2021 à 12:38, The Natural Philosopher a écrit :
> >>
> >> ip route ls table local
> >> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
> >> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
> >> local 192.168.0.100 dev enp0s25 proto kernel scope host src 192.168.0.100
> > (broadcast entries removed for clarity)
> >
> > 192.168.0.1 is not listed so it is not considered as a local address by
> >  the kernel, which confirms other observations.
>
> Yes. it behaves as a little empire all on its own snuggled inside the
> linux machine as a whole.

What kind of server hardware is this? Is it some kind of "data center" type
of server or a common "desktop" machine repurposed as a server?

Try installing a port scanner (on one of the other machines) and do a port
scan to see what ports are available on that IP. Or just try SNMP or even
telnet (which might connect you to a "virtual" console port on the server).

>
> Sort of Liechtenstein :-)
>
> So: to summarise
> It appears to be absolutely associated with that server hardware
> It exists outside of *normal* linux networking on that hardware
> It appears to do nothing except respond to pings and issue DHCP client
> commands. There are, for example no NAT sessions on the router with that
> source address...
> It persists between reboots
> It comes up before normal networking does, on that hardware
>
> The oddest thing to date however is that the *server itself* reports
> 'Destination Host Unreachable'
>
> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
> From 192.168.0.100 icmp_seq=1 Destination Host Unreachable
>
> So it MUST know *something* about that interface/IP address that tells
> it it 'cannot be reached'.
>
> Which seems to rule out something below the linux level *completely*.

Not necessarily. If this is hardware purpose built to be a server, it might
have some sort of system management thing "built in" that is using the same
NIC as the main machine, but totally without the O/S's "knowledge".

Reboot the machine and stop in BIOS Setup and poke around there.

>
> Also it appears as 'cymbeline' in the dhcp tables which is a linux level
> name. And must be being passed as part of the DHCP request
>
> I know I am totally bigoted, but my money is on systemd...

What happens if you uninstall dhcp-client? (sudo apt purge dhcp-client) If
the server has a static IP address it has no need of dhcp-client and without
dhcp-client it is not going to get an address from a DHCP server.

>
> I am letting tcpdump on two machines try and trap the DHCP requests
>
>

--
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services

Re: ghost interfaces in the sky

<Ya6dna4Ct4F_SyX9nZ2dnUU7-R3NnZ2d@giganews.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5171&group=comp.os.linux.misc#5171

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.snarked.org!border2.nntp.dca1.giganews.com!nntp.giganews.com!buffer2.nntp.dca1.giganews.com!news.giganews.com.POSTED!not-for-mail
NNTP-Posting-Date: Thu, 03 Jun 2021 08:19:29 -0500
MIME-Version: 1.0
From: hel...@deepsoft.com (Robert Heller)
Organization: Deepwoods Software
X-Newsreader: TkNews 3.0 (1.2.12)
Subject: Re: ghost interfaces in the sky
In-Reply-To: <s9ahva$f8b$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>?
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>?
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>?
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>?
<60b896d8$0$6188$426a74cc@news.free.fr> <s9ad26$bv6$1@dont-email.me>?
<60b8bfd6$0$6484$426a34cc@news.free.fr> <s9ahva$f8b$1@dont-email.me>
Newsgroups: comp.os.linux.misc
Content-Type: text/plain;
charset="us-ascii"
Originator: heller@sharky4.deepsoft.com
Message-ID: <Ya6dna4Ct4F_SyX9nZ2dnUU7-R3NnZ2d@giganews.com>
Date: Thu, 03 Jun 2021 08:19:30 -0500
Lines: 59
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-0Ih2THq5eO55Z42P52WPDDJKe/nN7JX+0emwbVReXdGaoWVsgwFipTJWC8n51TL/DtyFKKEWMvj5brw!t5fg94Nd9FmPWGGgBW7w+M2GZTdEAo92KVHwpiXhrGktZcJeA0Jg8iNMA2KQ2//zxqA9WmP5PVfn!1zA=
X-Complaints-To: abuse@giganews.com
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 3926
 by: Robert Heller - Thu, 3 Jun 2021 13:19 UTC

At Thu, 3 Jun 2021 13:29:29 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:

>
> On 03/06/2021 12:41, Pascal Hambourg wrote:
> > Le 03/06/2021 à 13:05, The Natural Philosopher a écrit :
> >> On 03/06/2021 09:46, Pascal Hambourg wrote:
> >>>
> >>>>>>> - Management Engine, Active Management Technology or the like
> >>>>>>
> >>>>>> no ideas what those are....
> >>>>>
> >>>>> A management system embedded in the hardware. Wikpedia is your friend.
> >>>>
> >>>> Mmm. Something at board BIOS level perhaps?
> >>>
> >>> Even lower level. Seems to be embedded in the chipset or CPU. May be
> >>> disabled by BIOS settings.
> >>>
> >> surely if it existed dozens of people would have seen this issue? It
> >> would be well known and well documented.
> >>
> >> Well that was a bit of a bombshell. 'ifconfig enps025  down' shut it
> >> down, *but not the ghost interface*.
> >
> > As I expected. So it is either buried deep in the kernel, or in the
> > hardware, or in some kind of hypervisor loaded before the kernel (like
> > Xen), but not in any userland process (including systemd). To check
> > whether it is in the hardware, boot without loading the OS (press <esc>
> > at the GRUB menu for instance).
> >
> >> Unfortunately 'ifconfig enps025  up' didn't seem to fully restore it
> >> So rebooted.
> >
> > You could have just restarted NetworkManager.
>
> Well network manager said it was there but 'disabled'.

Just means that network manager is not managing the NIC, which makes sense as
it has a static address (wired in /etc/network/interfaces).

>
> Well the interface said it was up, and it could ping itself, but *this*
> machine was locked up because NFS wasn't working, so I rebooted the
> (nfs) server machine , made a cup of coffee and when I got back this
> machine had unlocked itself.
>
> As I say elsewhere, beginning to zero in on where this is happening.
> largely due to your helpful suggestions - So thanks for that.
>
> tcpdump is now recording DHCP broadcast traffic and is working as its
> picked up a couple of transactions already
>

--
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller@deepsoft.com -- Webhosting Services

Re: ghost interfaces in the sky

<s9anrl$rgn$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5172&group=comp.os.linux.misc#5172

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: joebeanf...@nospam.duh (Joe Beanfish)
Newsgroups: comp.os.linux.misc
Subject: Re: ghost interfaces in the sky
Date: Thu, 3 Jun 2021 14:09:57 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 62
Message-ID: <s9anrl$rgn$1@dont-email.me>
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr> <s9abeq$oh$1@dont-email.me>
<60b8b5a0$0$6462$426a74cc@news.free.fr> <s9ag8t$2r6$1@dont-email.me>
<jJOdnRswpZJ8SCX9nZ2dnUU78dPNnZ2d@giganews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 3 Jun 2021 14:09:57 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="492baa24448c63940af0103b6677b3d5";
logging-data="28183"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19qGGumBh1k9bMW+z9T4KU2AXTA2VGlCLY="
User-Agent: Pan/0.146 (Hic habitat felicitas; 8107378
git@gitlab.gnome.org:GNOME/pan.git)
Cancel-Lock: sha1:vHC9UVNULQjZj5p2H2QX7Jmmhkw=
 by: Joe Beanfish - Thu, 3 Jun 2021 14:09 UTC

On Thu, 03 Jun 2021 08:15:13 -0500, Robert Heller wrote:

> At Thu, 3 Jun 2021 13:00:28 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:
>
>>
>> On 03/06/2021 11:57, Pascal Hambourg wrote:
>> > Le 03/06/2021 à 12:38, The Natural Philosopher a écrit :
>> >>
>> >> ip route ls table local
>> >> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
>> >> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
>> >> local 192.168.0.100 dev enp0s25 proto kernel scope host src 192.168.0.100
>> > (broadcast entries removed for clarity)
>> >
>> > 192.168.0.1 is not listed so it is not considered as a local address by
>> >  the kernel, which confirms other observations.
>>
>> Yes. it behaves as a little empire all on its own snuggled inside the
>> linux machine as a whole.
>
> What kind of server hardware is this? Is it some kind of "data center" type
> of server or a common "desktop" machine repurposed as a server?
>
> Try installing a port scanner (on one of the other machines) and do a port
> scan to see what ports are available on that IP. Or just try SNMP or even
> telnet (which might connect you to a "virtual" console port on the server).
>
>
>>
>> Sort of Liechtenstein :-)
>>
>> So: to summarise
>> It appears to be absolutely associated with that server hardware
>> It exists outside of *normal* linux networking on that hardware
>> It appears to do nothing except respond to pings and issue DHCP client
>> commands. There are, for example no NAT sessions on the router with that
>> source address...
>> It persists between reboots
>> It comes up before normal networking does, on that hardware
>>
>> The oddest thing to date however is that the *server itself* reports
>> 'Destination Host Unreachable'
>>
>> PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
>> From 192.168.0.100 icmp_seq=1 Destination Host Unreachable
>>
>> So it MUST know *something* about that interface/IP address that tells
>> it it 'cannot be reached'.
>>
>> Which seems to rule out something below the linux level *completely*.
>
> Not necessarily. If this is hardware purpose built to be a server, it might
> have some sort of system management thing "built in" that is using the same
> NIC as the main machine, but totally without the O/S's "knowledge".
>
> Reboot the machine and stop in BIOS Setup and poke around there.

+1

I'd suspect IPMI or other similar out of band BIOS level interface
sharing the ethernet port. Those often have their own MAC address,
but I suppose they don't *have* to.

Re: ghost interfaces in the sky

<60b90424$0$3675$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=5173&group=comp.os.linux.misc#5173

 copy link   Newsgroups: comp.os.linux.misc
Path: i2pn2.org!i2pn.org!news.niel.me!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed3-a.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: ghost interfaces in the sky
Newsgroups: comp.os.linux.misc
References: <s95vd0$98r$1@dont-email.me>
<60b76b31$0$3723$426a74cc@news.free.fr> <s97tvd$t97$1@dont-email.me>
<60b7c3f7$0$3711$426a74cc@news.free.fr> <s99nvt$fs0$1@dont-email.me>
<60b881a5$0$6189$426a74cc@news.free.fr> <s9a38h$c4t$1@dont-email.me>
<60b896d8$0$6188$426a74cc@news.free.fr> <s9ad26$bv6$1@dont-email.me>
<60b8bfd6$0$6484$426a34cc@news.free.fr> <s9ahva$f8b$1@dont-email.me>
<Ya6dna4Ct4F_SyX9nZ2dnUU7-R3NnZ2d@giganews.com>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Thu, 3 Jun 2021 18:32:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <Ya6dna4Ct4F_SyX9nZ2dnUU7-R3NnZ2d@giganews.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 10
Message-ID: <60b90424$0$3675$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 03 Jun 2021 18:32:36 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622737956 news-4.free.fr 3675 213.41.155.166:43346
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Thu, 3 Jun 2021 16:32 UTC

Le 03/06/2021 à 15:19, Robert Heller a écrit :
> At Thu, 3 Jun 2021 13:29:29 +0100 The Natural Philosopher <tnp@invalid.invalid> wrote:
>>>
>> Well network manager said it was there but 'disabled'.
>
> Just means that network manager is not managing the NIC, which makes sense as
> it has a static address (wired in /etc/network/interfaces).

According to the OP in <s99nvt$fs0$1@dont-email.me>, the ethernet
interface is statically configured by NetworkManager.

Pages:12
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor