Yosemite - MAC Address Flip-Flopping

Discussion in 'OS X Yosemite (10.10)' started by rssfed23, Jul 3, 2014.

  1. rssfed23 macrumors member

    Joined:
    Jun 5, 2008
    Location:
    Southampton, UK
    #1
    Something a bit odd started happening with my Yosemite install (rMPB 10,1) about 4 days ago:

    I run a pfSense firewall at home, and use arpwatch as an additional package on this (for those unaware: it does an occasional scan of the network physical MAC addresses and produces a report. Mines set up to email me automatically any new or changed/spoofed addresses!)

    I started getting alerts from arpwatch stating that the MAC address of my rMPB had changed, and then changed back again! This happens about 100 times a day, and always when connected to the wifi (so not during an intentional wifi scan etc). An example of the report email:

    Code:
    hostname: MacBookPro.knighthome
    ip address: 10.0.0.20
    [B]ethernet address: 14:10:9f:d8:76:c5[/B]
    ethernet vendor: <unknown>
    old ethernet address: 20:c9:d0:14:40:df
    old ethernet vendor: <unknown>
    timestamp: Thursday, July 3, 2014 16:08:06 +0100
    previous timestamp: Thursday, July 3, 2014 16:08:06 +0100
    delta: 0 seconds
    Then a few minutes later:
    Code:
    hostname: MacBookPro.knighthome
    ip address: 10.0.0.20
    [B]ethernet address: 20:c9:d0:14:40:df[/B]
    ethernet vendor: <unknown>
    old ethernet address: 14:10:9f:d8:76:c5
    old ethernet vendor: <unknown>
    timestamp: Thursday, July 3, 2014 16:08:06 +0100
    previous timestamp: Thursday, July 3, 2014 16:08:05 +0100
    delta: 1 second
    I rebooted the rMPB: no change.
    I wondered if this was an issue specific to the wifi, but nope; when I plug in a thunderbolt ethernet adapter similar things happen (just with different MAC addresses!).

    This is not an issue with arpwatch - all my other ~60 devices stay the same, as do my Macs that aren't running Yosemite DP2 (or DP1 update 1 rather....).
    I wondered if this was specific to my mac itself, so fired up Parallels and kicked up 10 Yosemite VMs within all bridging the network, and after about a week of uptime the exact same thing happens with all the subsequent VMs!

    I've posted the wifi details from system report at the bottom of this post!

    The system report does not change MAC address when the system reports a different one, and I've validated the changes with other network scanning tools!

    It appears under Yosemite on my home network occasionally the hardware addresses of network devices randomly report incorrect addresses!
    Has anyone else experienced anything like this they've noticed? Could it be a potential privacy feature I'm missing?
    I've not got any applications running that I think would cause this (besides the 10 VMs are all clean installs with nothing on them bar safari that just sit there and randomly change addresses!)

    So yeah; just looking to see if anyone has any thoughts on the above or if they've noticed similar behaviour?

    The only thing thats recently changed on my home network is the domain name from "knight.local" to "knighthome" (I didn't know bonjour doesn't work properly with .local domains until recently!)

    I'm aware of the iOS feature of randomising MAC addresses when scanning for new APs for security, but I don't think this is that (it's always "fip flopping" between the two mac addresses listed above!

    OS X System Report:
    Code:
    Wi-Fi:
    
      Type:	AirPort
      Hardware:	AirPort
      BSD Device Name:	en0
      IPv4 Addresses:	10.0.0.20
      IPv4:
      AdditionalRoutes:
      DestinationAddress:	10.0.0.20
      SubnetMask:	255.255.255.255
      DestinationAddress:	169.254.0.0
      SubnetMask:	255.255.0.0
      Addresses:	10.0.0.20
      ARPResolvedHardwareAddress:	00:26:2d:02:dc:XX
      ARPResolvedIPAddress:	10.0.0.1
      Configuration Method:	DHCP
      ConfirmedInterfaceName:	en0
      Interface Name:	en0
      Network Signature:	IPv4.Router=10.0.0.1;IPv4.RouterHardwareAddress=00:26:2d:02:dc:XX
      Router:	10.0.0.1
      Subnet Masks:	255.255.255.0
      IPv6:
      Configuration Method:	Automatic
      DNS:
      Domain Name:	knighthome
      Server Addresses:	10.0.0.1
      DHCP Server Responses:
      Domain Name:	knighthome
      Domain Name Servers:	10.0.0.1
      Lease Duration (seconds):	0
      DHCP Message Type:	0x05
      Routers:	10.0.0.1
      Server Identifier:	10.0.0.1
      Subnet Mask:	255.255.255.0
      Ethernet:
      MAC Address:	14:10:9f:d8:76:c5
      Media Options:	
      Media Subtype:	Auto Select
      Proxies:
      Exceptions List:	*.local, 169.254/16
      FTP Passive Mode:	Yes
      Service Order:	2
    
    
     
  2. iPhail macrumors newbie

    Joined:
    Jun 4, 2014
    #2
  3. mrapplegate macrumors 68030

    Joined:
    Feb 26, 2011
    Location:
    Cincinnati, OH
    #3
    An interesting problem. Have you posted it on the developer forum? I'm interested to see if someone from Apple can shed some light on it. I've not been keeping track of my MAC address so I'm not sure if it's been happening to me or not.
     
  4. bolen macrumors 6502

    bolen

    Joined:
    Jul 22, 2008
    Location:
    Sweden
    #4
    I have the same problem with my MBA and MBP, both on WiFi. I'm also running pfSense but I noticed it simply due to the fact that the Macs started getting new hostnames with incremental numbers. Presumably the Mac changes MAC and then bonjour tries to announce it's presence as "ComputerName.local", but the name from the previous MAC address is still lingering somewhere and the computer gets "ComputerName-2.local" instead. After a day or two I easily get incremental hostnames up to 5 or 6...

    Are you running static DHCP configurations based on MAC? My wife's MBP doesn't seem to show this behavior (at least not the lingering hostname problem), and it has not been configured to use a static lease.

    I also have a another FreeBSD host that is producing kernel messages about the MAC address change if I have a SSH connection from one of the Macs, so maybe it's something with the BSD kernel (also in pfSense) that is extra sensitive or conservative towards this behavior.

    I know about the MAC random feature for AP scanning, but I was under the impression that it would use it's real MAC address during association and when connected..
     
  5. Mr. Buzzcut macrumors 65816

    Mr. Buzzcut

    Joined:
    Jul 25, 2011
    Location:
    Ohio
    #5
    Is the other MAC that of an Airport Base Station or some other Apple device on your network? If so, I can probably explain why you are seeing it.
     

Share This Page