nmap and arp-scan inconsistent IP-MAC results

Question

I seem to get variable and inconsistent results for the IP/MAC addresses from a particular machine, using nmap or arp-scan.

The machine has 3 interfaces, and this is what it shows:

$ uname -a
Linux showstore-81 2.6.35.13 #1 SMP PREEMPT Thu Feb 9 12:20:36 PST 2012 i686 GNU/Linux

$ LC_ALL=C /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1b:21:ac:17:19
          inet addr:192.168.81.54  Bcast:192.168.81.255  Mask:255.255.255.0
          ...

eth1      Link encap:Ethernet  HWaddr 00:25:90:25:d0:4e
          inet addr:192.168.81.129  Bcast:192.168.81.255  Mask:255.255.255.128
          ...

eth2      Link encap:Ethernet  HWaddr 00:25:90:25:d0:4f
          inet addr:169.254.1.1  Bcast:169.254.255.255  Mask:255.255.0.0
          ...

So whatever tool and options I use, I would expect:

• IP .54 => MAC 00:1b:21:ac:17:19
• IP .129 => MAC 00:25:90:25:d0:4e

But nmap -n -sP 192.168.81.0/24 (nmap v. 5.00) reports it reversed:

Host 192.168.81.54 is up (0.000078s latency).
MAC Address: 00:25:90:25:D0:4E (Super Micro Computer)

Host 192.168.81.129 is up (0.000058s latency).
MAC Address: 00:1B:21:AC:17:19 (Intel Corporate)

And nmap -n -sP -PR 192.168.81/24 reports only one of the MAC addresses on both IPs:

Host 192.168.81.54 is up (0.000081s latency).
MAC Address: 00:1B:21:AC:17:19 (Intel Corporate)

Host 192.168.81.129 is up (0.00011s latency).
MAC Address: 00:1B:21:AC:17:19 (Intel Corporate)

Finally, arp-scan -l (v. 1.8.1) reports both IP addresses twice with both MAC addresses:

192.168.81.54      00:1b:21:ac:17:19    Intel Corporate
192.168.81.54      00:25:90:25:d0:4e    Super Micro Computer, Inc.

192.168.81.129     00:1b:21:ac:17:19    Intel Corporate
192.168.81.129     00:25:90:25:d0:4e    Super Micro Computer, Inc.

How can I do a scan which gives correct results? (I only need IP and MAC. No port scanning.)

Answer 1

Well, for one thing, you're using inconsistent/overlapping subnets. 192.168.81.129/25 is part of 192.168.81.54/24. So, first, do ifconfig eth0 netmask 255.255.255.128. Next, since I can only imagine that eth0 is plugged into the same network as eth1, you'll want to restrict how readily your computer will respond to ARP.

You will want to set the following sysctl entries, either by hand or in /etc/sysctl.conf:

net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.arp_filter=1 net.ipv4.conf.all.arp_announce=1 net.ipv4.conf.all.arp_ignore=2 net.ipv4.conf.all.shared_media=0

Updating this to include more information. Normally, linux will respond to an ARP request for an IP address assigned to the computer with the MAC address of the NIC it received the request on, regardless if the IP requested was configured on the responding NIC or not. Also, Linux will, by default, accept an IP packet on any NIC destined for an IP address configured locally on the computer. So,

The sysctl settings above restrict that behavior such that Linux will only respond to an ARP request for an IP if its received on the NIC that IP is assigned to and if the request is from an IP address reachable via that NIC. The tunables are documented in the file ip-sysctl.txt in the kernel source distribution.

What you're seeing is intended behavior and what I'm suggesting changes things to act more as you appear to desire. Good Luck.