Leopard keeps picking up a spoofed IP

Discussion in 'Apple' started by Amanda Ripanykhazov, Oct 26, 2009.

  1. Got a problem which has stumped Apple so naturally I turned here.

    My computer wont pick up an IP. It keeps picking up a spoofed one
    (what Apple calls a self-assigned one)

    Was in the Apple store and this problem flummoxed the Genuis Bar guy.
    he kept trying to connect and it didnt work. After trying restarting,
    changing networks, changing from DHCP to Manual Assign etc etc etc,
    about a dozen tries later, he got the mysterious error message
    Do you want the application "configd" to accept incoming network
    Do you want the application "mdnsresponder" to accept incoming network
    connections (both of which he allowed, although he had never seen
    those either and said they must be some kind of firewall) and suddenly
    it connected

    It stayed working for a few days, connecting as and when necessary to
    the four networks available where I am before peremptorily stopping
    completely again for no apparent reason on around Saturday.

    This time Apple Tech Support sent it to their internet and multimedia
    team where they told me to remove airport.plist,
    network.id.plist,networkinterface.plist and preferences.plist and
    reboot to recreate them. It connected properly again (I think it
    asked the two mystery 'Allow/Deny Questions' again) and this time
    lasted only a day.

    So I tried deleting these files myself and restarting. Curiously the
    files hadnt been recreated in toto. I found preferences.plist
    and ,networkinterface.plist, but airport.plist, is now called
    com.apple.airport.preferences.plist but network.id.plist doesnt seem
    to be there at all? (there IS a file called com.apple.nat.plist?) In
    any event I deleted the three files again and restarted but this time
    it didnt help with the problem at all.

    So another call to Tech Support got me to the apparently highest level
    tech support when the Internet and Multimedia team were baffled. They
    couldnt figure out how to cure it so they had me boot off an install
    disc and tried connecting. Hey Presto, it connected fine, indicating
    that as we knew from the visit ot the Apple store (for overheating)
    that there wasnt anything wrong with the hardware. So they concluded
    that only a full archive and reinstall was likely to help.

    When I hear this, I naturally think that they cant identify the
    problem (this is what PC tech support tells you when they want to get
    you out of their hair for a month or so in the HOPE that it will get
    rid of the problem) so I was wondering whether anyone else could? To
    me it sounds suspiciously like 'The Problem No One Wants To Agree Is
    There', that the NIC card is somehow losing sensitivity (not
    interference, but LOSING sensitivity). When this problem first
    started, I tried moving close to the WiFi source and found that it
    didnt make any difference to whether the system picked up a Spoofed IP
    but at the end of this process I am not so sure.

    There IS an addendum here: This morning, I found I COULD connect after
    only doing the configd of the deny/alllows (but curiously slowly). I
    dont believe this will either last or be reliable so I am posting
    here. Has anyone established yet that this business of asking whether
    I want the applications "configd" and "mdnsresponder" to accept
    incoming network connections an unknown by-product of some OSX update
    and has a cure been put out by Apple yet?
    Amanda Ripanykhazov, Oct 26, 2009
    1. Advertisements

  2. Amanda Ripanykhazov

    J.J. O'Shea Guest

    If the IP begins with the sequence 169.254, that's an APIPA address, an
    Automatic Private IP Address. This is a standard, invented by Microsoft.
    (Hey, they occasionally have good ideas. Not often, but when they do it
    should be pointed out that they did something good for a change.) If you are
    getting an APIPA address, that means that your system is set for DHCP but is
    not seeing the DHCP server for one reason or another.
    If he changed from DHCP to a manual, fixed, IP and you still didn't get
    connected then the problem is that your machine is not seeing the network,
    period. That could be either hardware (bad cable, bad Ethernet port on the
    Mac, bad Ethernet port on whatever you're connecting to, wireless connection
    problems, dead network, other possible problems) or software (incorrectly set
    up firewall, MAC address filtering, bad wireless security key, system problem
    on the router, other possible problems)
    If configd isn't operational you're never going to get a network connection
    on a Mac. Period. See
    <http://www.afp548.com/article.php?story=20041015131913324>. If you have your
    firewall incorrectly set configd will not run. The simple solution to most
    configd problems is to turn off the firewall. Once you have a good
    connection, you can then configure your firewall correctly.
    mdnsresponder is a zero conf service. It's used, among other things for DHCP.
    See <http://developer.apple.com/networking/bonjour/faq.html>. Again, if your
    firewall is set incorrectly, Bonjour (and therefore mdnsresponder) will not
    work. It would appear that your problem is related to a misconfigured
    firewall. At least that's the first place I'd look.
    He's never heard of configd or Bonjour? I doubt this.
    Sounds like a firewall problem again.
    Your firewall settings are being corrupted somehow. They asked you to delete
    the network communications pref files. When you did that, everything worked.
    It's supposed to stay working, so long as you don't change anything in the
    firewall. Have you gone to System Preferences/Security/Firewall and turned it
    not on the system I'm on.
    looks like a firewall problem.
    J.J. O'Shea, Oct 26, 2009
    1. Advertisements

  3. It's not a spoofed IP, it's a self assigned one. When you use DHCP to assign
    an IP address, it starts out with the self assigned one. That's because
    more likely defaults of or mean something special
    and everything else could be in use, e.g., etc.

    That's just an IP address that was picked to indicate that DHCP was chosen,
    but an IP address had not successfully been negoitated.

    It would help if you told us what you were using. Model of the Mac, type
    of airport card, what you were trying to connect to, operating system
    version, etc.

    Do you have a third party firewall, such as "Little Snitch" installed?
    The process of connecting to a WiFi network is rather complicated, and
    lots of things have to work properly. Along the way all sorts of problems
    can occur and things can intefere with the connection. Microwave ovens,
    older cordless phones, radar systems, and even bluetooth can interfere.

    I have an older Mac with an external bluetooth dongle (little thing that
    plugs into the USB port). It interferes with my wifi. I have to move it away
    from the Mac to get the wifi to work.

    I also have the problem with some brands of USB memory sticks. :-(

    The first thing I would do is to download a wifi sniffer, such as kismac
    and see what it says. The signals might not be strong enough, or there are
    other strong signals nearby, overloading your computer.

    The second is the difference between an open network, one that requires
    authorization and encryption.

    An open network can be joined by anyone.

    An athorized network requires a password or another credential to join.

    An encrypted network uses data encryption to prevent computers without the
    encryption key to understand the data and communicate.

    When you connect to a Wifi network, your computer will try to join it.
    If it does not use authorization, it will join it immediately. If it uses
    authorization, a user name and password, or an authorization key has to be
    sent and approved.

    Once you join a network, since you are using DHCP, the "self assigned
    IP address" is assigned to your Wifi connection and the dhcp client software
    tries to negotiate an IP address.

    Now here's the rub,as it were. If your network is encrypted but does not
    use authorization and you have the wrong key (WEP) or don't properly
    negotiate one (WPA), your computer will never actually get an IP
    address, although it will look like it has connected for a while,
    because it has joined the network.

    After DHCP fails, it will go back to being not joined to any network, but
    the self assigned DHCP address will remain.

    configd is the part of MacOS that acts as a dhcp client. It is what negotiates
    an IP address from a DHCP server (among other things).

    mdnsresponder is the program that looks up internet names from a domain name
    server (DNS). For example, if you enter www.apple.com, your computer can not
    reach it over the internet. It has to convert that name (in the form of
    host.domain.domain) to an IP address, and this is what does it.

    The IP address of an appropriate DNS server (it would not make sense to
    tell you it's name) is usually sent in the information provided by DHCP.

    My GUESS is that since it works when booted from a DVD and you get the
    stange messages, is that there is some sort of firewall problem, most likely
    caused by a third party firewall.

    Maybe you can tell us more about the message, I've never seen it myself.

    Geoffrey S. Mendelson, Oct 26, 2009
  4. Thanks for your amazing help guys: What I have done is to go into
    firewall and specifically allow configD. This seems to have minimised
    the temporary problem with that error message. But I dont think that
    the whole problem can be laid on the firewall (though I WILL try your
    suggestion of disabling the whole firewall for a while and seeing what

    More importantly I suspect some loss of sensitivity at the AirPort
    card end along with the possibility which I DO accept that there are
    other strong signals nearby, overloading my computer. If I move my
    computer across a certain room between the place where I have these
    problems and the router, I can almost tangibly see the signal drop off
    at around 25 feet from the router and with nothing significant
    intervening at that point: There are no electrical appliances of ANY
    type nearby! So much so that I have installed and configured another
    router (a Buffalo 80211G) as a DD-WRT_VAP repeater to amplify this
    signal! And cranked the output power up to a legal maximum of 99
    milliwatts. I was toying with the idea of doing this with a WRT-150N
    which I have lying around as it probably has better range but I havent
    been able to figure out whether this particular router (a VT1) can be
    set up as a repeater and the DD-WRT forums are a bit quiet on this

    The card is an AIrPort Extreme with Broadcom firmware version BCM43xx
    ( and I wouldn't have any idea how to update the firmware
    otherwise than through an Apple Update. Is there some way of doing
    this? Anyway let me try Kismac and see what happens.(I didnt know
    that there was a Mac version of Netstumbler). Computers right next to
    this one can connect properly and this one cannot see enough of a
    signal to assign a DNS. I had been told by Fios that only a full
    digital spectrum analyser can tell me exactly what interference there
    is which might be preventing my computer from accessing my network in
    circumstacnes where occasionally it WILL access a neighbour's one
    instead! I doubt that it is an incorrectly set password on the WEP
    end or this computer wouldnt ever be able to access my network through
    my FIOS router. However I have a linksys VoIP router with no
    encryption on the same network and it has all the same problems as the
    FIOS one does. I am pretty sure I have NO third party firewall.
    Amanda Ripanykhazov, Oct 26, 2009
  5. That may be a problem. If you are listening to music, as it gets louder
    it starts to become distorted. The same with radio signals. If you use too
    much power for the amplifier in the router to handle properly, the signal
    becomes distorted and can not be understood.

    25 feet is a good distance for WiFi the claims of 100 meters are almost never
    realized. It also depends upon the antenna, the one in a laptop is usually
    very small. Polarization matters, in plain English if the antenna is vertical
    inside the laptop and horizontal on the router, there will be a significant
    loss (26dB, or around 100 times).

    If you are using 802.11 N connections, there is a signifcant difference
    in the range if you are using 5.8gHz (and it's legal where you are),
    then the range will be much less than 2.4gHz.

    If you are using microwave oven robustness, try turning it on. If it is on, try
    turning it off. It really helps reduce interference from microwave ovens
    (and radar), but not from other sources and if there is no interference slows
    things down.

    I was toying with the idea of doing this with a WRT-150N
    Not that I know of. You may be able to do it under Windows but then you
    could end up with a level of firmware not compatible with MacOS. Very
    unlikely, but I can't say 100% it will work.
    Is the Linksys router also wireless. Try moving the channel. It would be
    best to keep them at least 2 apart, e.g. 1 and 3, 2 and 4, 1 and 13, etc.

    You could also try turning off the encryption and any authorization if you
    have it on, MAC address filtering, etc. If that works you can turn on
    what you need.

    Make sure that the SSID (network name) of the FIOS and Liksys routers are
    different (or the same if that's what you want). WiFi is designed so that
    all access points (the radio part of a router, for example) in a network
    are treated as if they were equal priority. The computer connects to the
    one with the strongest signal, no matter which channel it is on.

    Unless the VoIP router is set as a passthrough device, it should not have
    the same SSID as the FIOS router. IMHO it should not have WiFi enabled
    at all.

    My guess is that it is set up as a seperate subnet with it's own DHCP server
    and so on, and if they both have the same SSID it would really confuse things.

    Geoffrey S. Mendelson, Oct 26, 2009
  6. BootP and the incompatible BootParam where two older methods of assigning
    an IP address upon request. Most DHCP servers also support BootP.

    DHCP has more features. One of the features of modern DHCP servers is to
    verify an address is unused (ping it) before assigning it so that you can
    have more than one DHCP server running on the network at the same time,
    or a coding error in the control files.

    Geoffrey S. Mendelson, Oct 26, 2009
  7. I think that is one of the things which the Genius was trying to do in
    the Apple Store to connect to their network and then switching back
    again. There is an analogous situation whereby when you get an
    annoying error message 'cant connect to network' to which you know you
    can connect easily, you have to enable WEP, pretend to connect and
    then disable it again (or visa versa) to reset what the OS thinks it
    knows about how to connect. (I will try this again next time the
    connection isnt made for no known reason)
    Amanda Ripanykhazov, Oct 26, 2009
  8. Yes, I have tried most of that except microwave robustness because all
    microwaves are even further away from the point where the WiFi signal
    starts to become weak

    As to trying to get the 150N to work, I didnt realise that the N
    protocol worked at 5.8 GHz?? And had worse range at that frequency? I
    wonder how you change this using DD-WRT? (I have never played around
    with DD-WRT on the 150N. Maybe I should?) In any event, it may be a
    consumer unit, - though it is no Linksys, - and I cant believe that
    the Buffalo can be operationally exhausted by my using it at under a
    Amanda Ripanykhazov, Oct 26, 2009
  9. Amanda Ripanykhazov

    JF Mezei Guest

    Here is how DHCP works.

    When you have a naked system without IP address (which is what happens
    when you boot), the system sends an DHCP request.

    This is in the form of an ethernet packet with a blank IP address, and
    it is broadcasted to everyone on that ethernet segment. The message is
    essentially "can anyone give me an IP ?".

    Then, DHCP servers on that ethernet segment receive that request and can
    send offers for an IP address, addressing them to the computer by
    specifying its ethernet address.

    The computer then chooses which offer it wants (usually just one offer
    is seen) and then confirms it with the DHCP server and after the
    confirmation handshake, it can start to use the assigned IP and other
    parameters supplied in the DHCP offer.

    In practice DHCP failures happen because the initial request never made
    it to a server. In other words, when DHCP fails, it is usually because
    you have ethernet layer problems. (wi-fi is ethernet level).

    And the self assigned IP you get is done by the computer (Apple adoppted
    this strategy starting with Mac OS 8.6 ). One reason is that by getting
    such an Ip address, it allows the computer to bring up the IP stack,
    even of all connection attempts with fail. Many applications can handle
    a connection failure, but most would not handle "sorry there is no IP
    stack available" gracefully.

    Back to your problem. Since you are using Wi-fi, there are many layers
    involved to provide what should be transparent carriage of etherhnet
    packets over the air (not to be confused with Avian IP transport
    protocol http://www.rfc-editor.org/rfc/rfc1149.txt )

    While the Apple folks got you to zap many .plists, did anyone mention
    KEYCHAIN ? Wi-fi stores your wi-fi authentication in your Keychain
    database. (Applications->Utilities->Keychain Access.app )

    You might want to go into Keychain Access and delete any wi-fi
    authentication records from it.

    As someone else mentioned, there are cases where the wi-fi *appears* to
    work (you appear connected) but in fact isn't working because only the
    bottom most layer got connected and you didn't get to the authentication

    In system preferences -> network, when you click on "Airport", at the
    bottom of the pane on the right you have "Advanced". In the "Advanced"
    pane, you gave 802.1x tab. You have some profiles there as well, you
    may wish to delete them.

    You can specify what type of authentication you want. This has to be
    compatible with the network you are connecting to.

    When I moved from WPA to WPA2 Enterprise on my base station (Cisco), I
    had the behaviour you describe. I had to go into the 808.1x tab and
    enable LEAP authentication. And that fixed *my* problem.
    JF Mezei, Oct 26, 2009
  10. It works at both 2.4 and 5.8 (depending upon where you are, 5.8 is illegal
    here). It has about 1/4 of the range for the same power output, but much
    wider bandwidth.

    Sure the legal limit is 100mW, it depends upon how close they get to it.
    A 1 watt 5.8gHz transmitter is very expensive, so they use one that maxes
    out at 100mW, but probably expect you to use it at a lower level.

    I could spend hours discussing designing hardware to fit price/performance
    specs, but it's not relevant here. Suffice it to say, there is some limit at
    which the signal becomes unuseable, and it's very close to the maximum.

    Generally, it's about .125 watts if the unit is rated at .100 watts (100mW),
    but it could be 100mW if it is normally used at .075 Watts. There are also
    issues with antennas, and how resonant they have to be. The higher the power,
    the more slight imperfections affect the signal, the transmitter, how much
    power it uses and so on.

    Geoffrey S. Mendelson, Oct 26, 2009
  11. Amanda Ripanykhazov

    Adam Guest

    You have little snitch installed - Uninstall it. I know you said you
    don't, but do yourself a favor, go search your machine for little
    snitch right now... Try /Applications for the little snitch
    configuration. Or next time one of the those messages pop up, choose a
    different option like open preferences or rule list.
    Adam, Oct 27, 2009
  12. Amanda Ripanykhazov

    David Empson Guest

    Those messages are not from Little Snitch.

    Little Snitch alerts for outgoing network connections. The messages
    described by the original poster are relating to incoming connections,
    not outgoing connections.

    They are probably being generated by the firewall which is part of Mac
    OS X 10.5 and later. (Sometimes referred to as the "application
    firewall", to distinguish it from the port-based firewall which was used
    in Mac OS X 10.4 and earlier and is still available in 10.5 if you use
    third-party software to configure it.)

    If the "Genius" didn't know that, he wasn't trained very well.

    I see a similar message as soon as I start the Firewall in System
    Preferences > Security, if I have anything running which is not signed
    and which is trying to accept incoming network connections.
    David Empson, Oct 27, 2009
  13. Amanda Ripanykhazov

    Fred Moore Guest

    Thanks for the technical details, Geoff. Nice to know there's something
    more than voodoo going on. ;)
    Fred Moore, Oct 27, 2009
  14. Was this ever resolved?

    Geoffrey S. Mendelson, Nov 1, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.