Home networking: do I have an uninvited guest on my LAN?

Being a careful sort, I enabled security for my home wireless network.

Specifically, I:

  • Enabled WEP with a 13-byte key (I have TiVo connected via wireless, and it doesn’t support WPA so I must use WEP.)
  • Turned off SSID broadcasting.
  • Enabled MAC filtering.

I know there are ways to hack around all these things, but my neighbors are an upstanding bunch of citizens and have better things to do than hack my wireless network. I’m happy with “good enough” security.

Nevertheless, I see a rogue client on my “attached clients” list. The MAC address isn’t in the “white list” but the router admin page still shows it as a “connected device”, with a blank hostname.

I verified that my wireless router does indeed disallow access to MAC addresses not on the list, by removing the one for my laptop and verifying that it was unable to correct until I added its MAC address back to the whitelist.

Rebooting the router does not get rid of the rogue client. The router is a D-Link DI-624.

At first I thought the router was displaying its own MAC address as a “connected client”, but I checked and the listed one does not match.

The rogue client has an IP address, which when I ping gets no response. If I use “arp -a” after the ping I see the client’s IP address and MAC address.

I’m pretty sure I’ve accounted for every connected device in the house and none of them matches the unknown MAC address.

Any ideas what might be going on?

My 514 doesn’t show any such entry. Beyond some sort of packet sniffing setup, I can’t think of much to try more than you’ve done already… got the latest firmware?

There is a certain amount of information one can glean from a hardware address. What’s the MAC address?

Yes, I have the latest firmware. I did think about packet sniffing - I’ve used Ethereal quite a bit but never did get the hang of “promiscuous mode”.

If anyone’s curious, I think I got to the bottom of this.

  1. The MAC address filtering wasn’t working because, well, it wasn’t enabled. Even though I’d clicked the appropriate button in the D-Link admin screen, and clicked “save”, and clicked “refresh”, when I visited the admin page from another computer I saw the option was disabled.

  2. As to the rogue MAC address itself: I just added a wireless adapter to my XBOX 360. It shows up as “Ethernet Bridge” or some such; it is wireless, but the XBOX connects to it via a regular Ethernet cable. I’m wondering if that causes it to show up as two separate MAC addresses, even though it’s only a single device. The word “bridge” suggests two end-points, to me.