Question Strange device in local network

Toggle sidebar Toggle sidebar
J

Justanotherproblem

Apr 30, 2022
14
0
10
Hello
I have a strange device in my local network that i discovered with ip scanner. This device is not visible in my routers web interface. My routers ip is 10.0.0.138 and last digits of mac address is 66. The device i found have ip 10.2.0.138 and last digits of mac is 67. It has same manufacture name as my router but is also named "localhost". It wont respond to ping. Its also visible in the app "Wifi Thief Detector". It connect and disconnect at various times. Right now its not online according to app. Its also visible in Wireshark but i am totally green on how to read all the information there. Also im using powerline adapter and range extender connected to it. I notice in the ARP table if i turn on my phone wifi which goes through the range extender the device change its mac address to be identical with routers mac address (66). And if i turn off wifi its mac change back to 67.
 
Sort by date Sort by votes
Justanotherproblem said:
Hello
I have a strange device in my local network that i discovered with ip scanner. This device is not visible in my routers web interface. My routers ip is 10.0.0.138 and last digits of mac address is 66. The device i found have ip 10.2.0.138 and last digits of mac is 67. It has same manufacture name as my router but is also named "localhost". It wont respond to ping. Its also visible in the app "Wifi Thief Detector". It connect and disconnect at various times. Right now its not online according to app. Its also visible in Wireshark but i am totally green on how to read all the information there. Also im using powerline adapter and range extender connected to it. I notice in the ARP table if i turn on my phone wifi which goes through the range extender the device change its mac address to be identical with routers mac address (66). And if i turn off wifi its mac change back to 67.
Click to expand...
My guess is that it is associated with the GUEST WIFI function. Do you have guest WIFI enabled ? -- Page 38 in the manual listed above ...
 
Upvote 0 Downvote
kanewolf said:
My guess is that it is associated with the GUEST WIFI function. Do you have guest WIFI enabled ? -- Page 38 in the manual listed above ...
Click to expand...
No i have disabled both wifi and guest wifi in the router and disabled guest wifi in the powerline box. Im using wifi through cable from isp router to powerline box to range extender to my phone. The other powerline box is for tv decoder and ps4.
 
Upvote 0 Downvote
Justanotherproblem said:
No i have disabled both wifi and guest wifi in the router and disabled guest wifi in the powerline box. Im using wifi through cable from isp router to powerline box to range extender to my phone. The other powerline box is for tv decoder and ps4.
Click to expand...
If the MAC address is almost identical to the router MAC and it is a different IP subnet, but same final octet, I wouldn't worry about it too much. It is, IMO, internal to your router.
Have you tried manually setting your laptop to a 10.2.0.x IP address and seeing if it will respond to a ping? Your default 10.0.0.x IP range won't be able to see 10.2.0.x because of the subnet mask.
But you also say something interesting "Im using WIFI through cable from ISP router" -- That says that you have multiple routers in your network. It gets REALLY confusing when there are multiple routers, multiple DHCP servers, etc. Since you have multiple routers, just power off the Netgear and see if the mystery device goes away ...
 
Upvote 0 Downvote
kanewolf said:
If the MAC address is almost identical to the router MAC and it is a different IP subnet, but same final octet, I wouldn't worry about it too much. It is, IMO, internal to your router.
Have you tried manually setting your laptop to a 10.2.0.x IP address and seeing if it will respond to a ping? Your default 10.0.0.x IP range won't be able to see 10.2.0.x because of the subnet mask.
But you also say something interesting "Im using WIFI through cable from ISP router" -- That says that you have multiple routers in your network. It gets REALLY confusing when there are multiple routers, multiple DHCP servers, etc. Since you have multiple routers, just power off the Netgear and see if the mystery device goes away ...
Click to expand...
What i mean is my setup is this: cable modem - wifi routers wan port. Cable from wifi routers lan port to computer. Cable from wifi routers lan port to powerline adapter. Powerline adapter is connected to range extender in another room. This is where i get my wifi signal from. The other powerline adapter is also in a different room. To change my ip i go to ethernet adapter and internet protocol v4 right?
It took some time before the interface ip changed. I can now ping my own ip but not the 10.2.0.138 one. My default gateway should still be 10.0.0.138?
 
Upvote 0 Downvote
bill001g said:
What subnet mask are you using. It is fairly standard to use 255.255.255.0 but that will not work ip addresses like this. There are a couple that will work but it is likely set to 255.0.0.0 on some machine and 255.255.255.0 on others.
Click to expand...
If i use standard ip settings its set to 255.255.255.0
If i use static its automatically set to 255.0.0.0
 
Upvote 0 Downvote
You need to set the mask to consistent value on all devices it really doesn't matter too much but for home use you seldom see anything other than 255.255.255.0.

Using 255.0.0.0 when it is a 10.x.x.x network shows some engineer has been living in a cave with no electricity for 20 years. The concept of "classful" networks has not really been used in networking for many years. It is a old concept designed to reduce cpu and memory usage on routers which no longer really matters as much.
 
Upvote 0 Downvote
Weird things are happening now. All of a sudden i cant access this forum and another website with info related to arp spoofing. I tried both with mobile data and wifi. Now im using vpn then its working fine. This can not be a coincidence? Yesterday i was watching wireshark and i saw lots of "duplicate use of <ip> detected!)". Today i read that this is a sign of arp spoofing attack. This happened in wireshark when i changed computers ip to 10.2.0.138 same address as strange device in my local network.
 
Last edited:
Upvote 0 Downvote
If you think you have arp spoofing watch the arp table with the ARP -a command.

You should not see the mac addresses associated with IP change. The mac addresses should also give you a clue what the device is.

ARP spoofing is not something that can be easily done. It almost always requires physical access to the network. It is not something that works very well over wifi because of the slight added delay.

You can defeat arp spoofing by using a static arp entry for your router ip. That does not prevent the device from trying to spoof your IP to the router but that tends to not be worth actually doing.
 
Upvote 0 Downvote
My questions are how did they get into my local network in the first place and how do i throw them out? Im suspecting they got access via a rogue access point somehow. Which means they can get in again and again if they want to right? Btw im pretty sure they are reading what i write on this forum since i began having issues with err too many redirects since yesterday. They obviously want to stay in my network for a long time.
 
Upvote 0 Downvote
Justanotherproblem said:
My questions are how did they get into my local network in the first place and how do i throw them out? Im suspecting they got access via a rogue access point somehow. Which means they can get in again and again if they want to right? Btw im pretty sure they are reading what i write on this forum since i began having issues with err too many redirects since yesterday. They obviously want to stay in my network for a long time.
Click to expand...

I doubt this is nothing more than your own router and you should not be concerned.
 
Upvote 0 Downvote
So turn off the wifi radios and then make sure you know what every ethernet cable connects to. You should see it disappear if it is real.

If you really think it is coming in via wifi change all the passwords and make sure WPS is disabled.

Nobody can see what you post here....then again everyone can actually since it is a public forum. The data between your end pc and web site is fully encrypted end to end which makes it impossible to both see the data as well as spoof fake traffic. There are not many sites that do not use HTTPS.
 
Upvote 0 Downvote
bill001g said:
So turn off the wifi radios and then make sure you know what every ethernet cable connects to. You should see it disappear if it is real.

If you really think it is coming in via wifi change all the passwords and make sure WPS is disabled.

Nobody can see what you post here....then again everyone can actually since it is a public forum. The data between your end pc and web site is fully encrypted end to end which makes it impossible to both see the data as well as spoof fake traffic. There are not many sites that do not use HTTPS.
Click to expand...
Did i mention i was hacked last year? War driving from a car outside my house. The car honked two times then i came to see what it was. They turned on the lights so i could see who it was. It was a kid in the backseat with a laptop. He looked scared.
Then my ISP had to send me a new router because they couldnt get a signal from the one that was hacked. I still use the same powerline adapter that was hacked into.
 
Upvote 0 Downvote
Ok so i did a reset of my wired connection. Initially my arp table looked like this: Picture. Then after a short while the strange device got added to the arp table and it looked like this: Picture. Only cable modem and router is connected and routers wifi is turned off. (I tried uploading picture but got error message so i had to upload link to picture file instead).
 
Upvote 0 Downvote
Update your post to include full system hardware specs and OS information.

Include make and model information for modem and router.

Post your picture(s) here using imgur (www.imgur.com) .

[Note: The provided "PIcture" links do not show the pictures and appear to require various downloads and possible payments to do so. (Turbo?)]

Also on your computer run "ipconfig /all" (without quotes) via the Command Prompt.

Post the results.
 
Upvote 0 Downvote
I tried to change my ip to the same subnet as 10.2.0.138 and did a nmap scan on the ip. It says device mac address is the same as that of my router (66). But when i look in arp -a it says 67. If this device is part of my router why is it on a different subnet and denying ping requests even if my computer is in same subnet? I can ping my router.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom