Why would an iPod Touch and PS3 respond to netdiscover as 0.0.0.0?

3

0

Only slightly related to this question, because it was discovered in the same scan:

Can someone explain how this happened?

When running netdiscover on my home network, my iPod Touch (identified by DHCP-reserved IP address and MAC address) responded to both its own IP address on our 10.x.x.x subnet and to 0.0.0.0 also. Why would this have happened?

EDIT: After letting netdiscover run awhile longer, it seems one of the PS3s on the network is also answering to 0.0.0.0 - why is this?

Iszi

Posted 2011-11-16T01:09:38.467

Reputation: 11 686

Interesting. I'll leave this for someone who may know more about the internals of these devices, but I would suspect some virtual interface exists that is replying, and doesn't have an IP defined. Perhaps a part of uPNP/DLNA. – Paul – 2011-11-16T01:37:52.870

Pretty sure uPNP is disabled on the PS3. Don't know if that's an option for the iPod. – Iszi – 2011-11-17T18:54:21.920

Does netdiscover give you a mac address for the two IP addresses? Can you post them if so? – Paul – 2011-11-17T20:51:35.633

The MAC addresses given at 0.0.0.0 are the same addresses that answer to the systems' regular IP. – Iszi – 2011-11-17T20:56:41.910

I wonder if this has anything to do with Apple's Rapid DHCP.

– daxelrod – 2011-11-18T06:36:52.183

@daxelrod There's an interesting thought. Does the PS3 have a similar feature? It would be great if you could link to some documentation that specifically mentions the 0.0.0.0 ARP replies. – Iszi – 2011-11-18T06:42:11.053

Answers

2

From the article 0.0.0.0 :

Computers normally show an address of 0.0.0.0 when they are not connected to a TCP/IP network. Having this address, a computer cannot be reached or communicate with any other devices over IP.

TCP/IP software applications also use 0.0.0.0 as a programming technique to monitor network traffic from any valid IP address. While connected computers do not use this address, messages carried over IP sometimes include 0.0.0.0 inside the header when the source of the message is unknown.

Citing also from this thread :

The IP address 0.0.0.0 can have very different meanings, depending on where it's used.

  • It's not a valid address to be given to an actual network interface, along with any other address in the 10.0.0.0/8 subnet (i.e. any address starting with 0.).
  • It can't be used as the source address on any IP packet, unless this happens when a computer still doesn't know its own IP address and it's trying to acquire one (classic example: DHCP).
  • If used in a routing table, it identifies the default gateway; a route to 0.0.0.0 is the default one, i.e. the one used when there is not any more specific route available to a destination address.
  • Lastly, when seen in the output of the netstat command (which is what you asked for), it means that a given socket is listening on all the available IP address the computer has; when a computer has more than one IP address, a socket can be bound only to a specific address and port pair, or to a port and all addresses; if you see an IP address there, it means that socket is listening only on that port and that specific address; if you see 0.0.0.0, it means it's listening on that port on all addresses of the machine, including the loopback one (127.0.0.1).

One possibility is a bug in the software on the iPod/PS3, forgetting to abandon the 0.0.0.0 address once a real address was granted by DHCP.

A more ominous possibility is that some software on these devices is listening to everything that passes on your local network. Even though a very tenuous possibility, I would not in your place logon to my bank website while these devices are on the network.

harrymc

Posted 2011-11-16T01:09:38.467

Reputation: 306 093

Asked: 2011-11-16T01:09:38.467

Viewed: 410 times

Active: 2011-11-24T15:03:21.990