ip neigh and arp - incorrect MAC address


I’m not sure how long I’ve had the issue but today I decided to simply change the IP of my NAS (it’s configured to DHCP, albeit with a fixed address in dhcpd.conf) and something that I thought would be easy, but found that devices were struggling to re-connect. I was looking around and have discovered that the MAC address of the NAS was incorrect on most/all devices (based on “ip neigh”). And something that a reboot of my router/switch/NAS didn’t simply resolve.

I have since connect to several of my servers, and run “ip -s -s neigh flush all” and “arp -d ”, one or both successfully cleared the ARP cache and was soon showing the correct MAC address (Yay! I thought), but after a few minutes it was reverted, so the same IP has the incorrect MAC again (it’s always the same one).

My NAS is the same hardware with the same NIC (and unchanged MAC) - plus I’m not 100% sure where the “incorrect” MAC is coming from, I assume it’s on my network somewhere, but as yet have not found it (with so may mobile devices I’ve not yet managed to check everything). I read that I can force the IP/MAC details into the ARP cache - but I assume that that shouldn’t be necessary (should it?)

I’d like to better understand where ARP or IP, get the MAC address from - which may help me understand my problem and therefore resolve it.
But also - how I can scan my entire network for MAC Addresses assuming this “unknown” one is on my network.

The other options is that I’ve made a rookie error, and done something wrong in either BIND or DHCPD… My gateway seems to be the only asset that consistently should the correct details…

Hoping everybody is well and enjoying the change in weather,

“how I can scan my entire network for MAC Addresses assuming this “unknown” one is on my network”?

If you log into your router it should show you the name, MAC address and IP address of each device the router can see.
For example; my router address is http://bthomehub.home/index.htm?pg=home.htm. Or just bthomehub.home will do.
Beyond that, I can’t offer any advice.


Hi Brian, network problems can be a can-of-worms at the best of times, second only to printing problems :slight_smile:

So, MAC addresses are hard-coded into network cards / chips, so in theory every device on the planet will have a unique MAC address.

Based on your description I would be inclined to think you have two devices on the network using the same IP address. So every now and again the device will broadcast a s “hello, my ip is … and my mac is …” … so depending on who broadcast last, that’s the MAC that will appear in your ARP cache. To see what you have locally (tweak the address prefix as appropriate for your network);

sudo nmap -sP -n

(without the sudo, you won’t necessarily get the MAC addresses)
This should list your local devices (IP/MAC) but also the name of the company who issued the MAC address, on a small network this should help determine which device is the owner of the offending MAC address. My best rule-of-thumb for small networks is; always use DHCP from your router. Home routers these days will typically always issue the same IP to the same MAC unless told otherwise, so once your NAS has been issued with an DHCP address, you can sort of treat it as static in that it’s unlikely to change. However, once you set something up with a manually allocated IP, every now and again there is the potential for conflict.


Hi, and thanks…

I was just about to provide an update and suggest that I’d been stupid and broken my own system of documenting everything in BIND and/or DHCP - and that having tracked the MAC address (I found this to translate the MAC : https://maclookup.app), I found that the “incorrect MAC” was a TP-LINK devices… I only have a few so it was easy to find that, which is now exactly what read from Mad Penguin (thank you by the way)

"Based on your description I would be inclined to think you have two devices on the network using the same IP address. "
Yeah - you’re quite right and I feel appropriately foolish blush

many thanks, I hope I’ve not wasted too much of you’re evening :slight_smile:

No problem, this is great! … not only does it mean you’ll spot this immediately next time, it means you’ll be able to help the next person with the same problem! :wink:
I just feel grateful the days of BNC and Token Ring networks are behind us … :slight_smile:

There are likely to be a few better ways to get this information, but I am still at that point where I enjoy writing semi-pointless scripts :slight_smile:

So I simply hope this is helpful to somebody if only as an example for something else…

Anyway - this is what I’ve got/done - feel free to suggest a better option.

Nb: There are obvious risks/issues - like those assets that don’t reply to PING, or if you don’t have a asset with a complete ARP table*.
*not that I understand ARP, can ARP scan the network itself, in order to make this more reliable - or is this idea largely flawed to begin with?!


readonly ARP=`which arp`
readonly CUT=`which cut`
readonly PING=`which ping`
readonly NETADDR=192.168.1
readonly ARP_ARRAY=$(${ARP} -a)

if [ "${HOST}" = "" ]; then
  echo "Error - No Input Given"
  echo "Usage: ${0} [host/ip/scan]"
  exit 9

function _GetHostDetails {
  if [ "${1:0:${#NETADDR}}" = "${NETADDR}" ]; then
    IP="`${PING} ${1} -c1 | head -n1 | ${CUT} -d '(' -f 2 | ${CUT} -d ')' -f 1`"
   #IP=`${ARP} -a | grep "$({IP})" | ${CUT} -d '(' -f 2 | $CUT} -d ')' -f 1`

  for ARP_LINE in ${ARP_ARRAY}; do
    if [ "${IP}" = "`echo ${ARP_LINE} | ${CUT} -d '(' -f 2 | ${CUT} -d ')' -f 1`" ]; then
      HOST=`echo ${ARP_LINE} | ${CUT} -d '.' -f 1`
      MAC=`echo ${ARP_LINE} | ${CUT} -d ' ' -f 4`

      if [ "${HOST:0:1}" = "?" ]; then
        DOMAIN=`echo ${ARP_LINE} | ${CUT} -d '.' -f 2,3,4,5 | ${CUT} -d ' ' -f 1`

  echo ${HOST},${DOMAIN},${IP},${MAC}

if [ "${1}" = "scan" ]; then

  for i in `seq 1 254`; do
    ${PING} ${NETADDR}.${i} -c1 > /dev/null
    if [ ${?} -eq 0 ]; then
      _GetHostDetails ${NETADDR}.${i}

  _GetHostDetails ${HOST}


#./gethostdetails.sh scan