Message "ARP table content changed"

Hey Together,

One of our Customers have some Problems with their Network and some employee made some Tests on their one.
The Problem is, that in different Times and different workplaces the Internet shuts down and the employees are not able to work at the Internet. After some minutes,or deaktivate and reactivate again the Network Adapter it works again.

One of them used GlassWire and get a strange Message, when the Internet shuts down.
A Windows opens and get the Message:

ARP table Content changed
IP: 192.168.1.1 (Gateway), OLD MAC xx:xx:xx:xx:xx:xx, New MAC: xx:xx:xx:xx:xx:xx

What does this mean? I know, what the ARP Table is, but why do we get this message?
After some searches in the Internet i get some informations, which Points on ARP Spoofing.
Is this possible?

Do you have any other ideas?

I am grateful for every answer!

Regards
iChris

PS: Sorry for my english… I’am from Germany :wink:

1 Like

IChris

What is the MAC address ("Machine Address Code), of the network interface card, on your default gateway router at 192.168.1.1 supposed to be?

If a 2nd device has been plugged into your network that also has the address of 192.168.1.1, then you would see this message as your pc tries to determine which one is correct. You may have a wireless router that also has the address of 192.168.1.1 on your network.

Create a network map. Use zenmap to ping hosts on your network. I suspect you’ll find a 2nd device with the same address.

1 Like

Hi Scoho

Thanks for your answer.
The MAC adress must be 00:A0:57:19:1F:BF, so it’s defenetly the wrong Adress.
we checked the MAC Adress manufacturer Prefix and found Oracle virtual Box.
So there are many virtual Linux Computers with the same mac, because they create the VM once and clone it for every other Person.

We changed now the Adresses and make node them.
Now we must wait, if there are any more Problems now…

is it possible, that this could be the Problem? Many Computers with the same MAC?

1 Like

Yes definitely. ARP protocol is used to determine the MAC address from the IP address. When your IP generates two machines with same MAC address, the router does not know which one to send the data to! Hence a corrupt ARP table.

` EDIT

By the looks of this, your Gateway machine’s MAC address was changed. Now all the data from your current machine travels to the Gateway before its transmitted on the network. Wrongly sending the transmission to another machine which does not know how to forward it to the rest of the network will definitely end up as Internet traffic being disconnected from your current machine.

1 Like

Yesterday whilst watching out Samsung TV a message came on screen to say that internet connection was disconnected then connected then disconnected then connected. The Router then disconnected and rebooted. When I checked Glasswire on my laptop the message
“ARP content table changed appeared” in the Glasswire alerts. This happened four times.
The first one tried to change the MAC of the TV to something else
The second one changed it back to the original MAC
The third one changed the MAC to something else
The fourth one changed it back to the original MAC all in the space of four minutes.

This shows the power of Glasswire and it’s usefulness, but how do I stop these people from attempting to commandeer my TV for their own nefarious purposes? Does Glasswire have the ability to do this somehow?

@Topper

I’m sorry to hear you are having this problem.

We once had another customer with a similar issue. I worked with him and we found that he had set up a router behind a router accidentally. His cable modem was set up as a router, then he put an additional router behind it.

This double router situation then caused two devices on his network to have the same IP address. He would get a similar security notice that you are seeing from GlassWire, then his device would go offline.

GlassWire was then able to help him see the shared IP problem and fix the router behind a router issue and the problem was solved.

In your case is it possible your cable/dsl modem is acting as a router while you run an additional router? It can also cause this situation.

Very different setup for me, BT Hub6 feeding TV direct, also feeding white disks for WIFI upstairs, nothing else. Systems at home were hacked in 2018 including TV which was I suspect fed into the Kodi system network.

@Topper

If you think this could be an actual attack I would recommend resetting your cable/dsl modem, and your router to their defaults if possible or maybe even purchasing new ones. Here are details on this type of attack ARP spoofing - Wikipedia. I think it would be unusual for a home to experience this type of attack and it would be more likely to happen with a business or public network of some type.

From helping many GlassWire home users I have found this alert is real, but it’s usually due to a network configuration issue with two devices sharing an IP, and not an actual attack. The device will keep going offline over and over along with the other device that’s sharing its IP. The alert is useful in diagnosing network configuration problems.

Your comments confirm my suspicions, I do not know what I have done to deserve such attention, but need to find a solution fast

If it was me and I was sure it was not a network configuration error I’d immediately reset my modem/router to its default settings and consider doing clean OS installs of any PCs on the network. I’d also consider just purchasing a completely new modem/router.

Oh yes I have a set routine now, I did a router hard factory reset as soon as it happened, but one is not always immediately aware of it, I want a solution to stop them getting access in the first place but BT insist on us being on a WAN which is how they get in, using IPV6 which I am unable to block in their router. It is so frustrating :worried:

1 Like