I’ve reserved an IP address on my router for my PC. For forwarding certain traffic.
Today I turned my PC on and none of the traffic was forwarded. So I investigated a bit.
My PC hadn’t been assigned the IP address it was supposed to be. So I investigated a bit more…
My PC’s MAC address has changed (by itself)
Any idea how/why that would happen?
If it helps. The device in question is a Realtek RTL8187 Wireless 802.11b/g (Internal wireless card)
Are you sure you didn’t mix up the wired and wireless MACs?
I can’t think of any good reason why that would happen.
What did the mac change to? It might be that the flash chip that holds the mac address is going bad.
The only other thing I can think of is some sort of virus or malware or some hacker relaying through your computer that is intentionally changing the mac to avoid filters.
That basically doesn’t happen.
I’ve got twelve years in various help desk and sysadmin environments under my belt, and I’ve never heard of that even once.
You’re either mistaken or the victim of a hack or unauthorized local user.
Go into the advance settings of the driver and see if its been changed there or in the registry:
I’m not mistaken…
My connection has only ever been wireless. I used my router to assign a fixed IP for my PC using its MAC address. That worked for a while. I remember the MAC address ended in 4.
Then one day my PC doesn’t get the assigned IP, so I look into this on the router and I see that the setting is still there to assign the IP to the computer. So I decide to add a new fixed IP. It brings up a different MAC address for this PC (I can see the two on the screen at the same time) The new one ends in 2 (the other numbers are different also, but the one I remember is the ending number)
To confirm that this is indeed the MAC I run ipconfig/all at the console. That confirms that the wireless card does indeed have a new MAC address.
I’ve used ipconfig/all before this happened to confirm the MAC address so I know what I’m looking at.
I ran a virus scan shortly after and there are no (known) viruses (but a lot of tracking cookies, which is normal)
This is a recent fresh install so there’s a minimal chance I’ve done anything to attract a virus. And anyway I know what not to do to be virus free. I’ve been using computers since I was a teenager (now 30) and I’ve never ever had a virus.
I did google this, and it seems it does happen (devices’ MAC addresses have changed due to a bug)
I emailed the manufacturers of the card. I’ve not received a reply, but it is still the weekend.
I get as far as configure, Advanced, but there’s no option for ‘network address’ or ‘locally administered address’
The values are there for the ethernet adapters, but none of those have been changed.
I’ve found the wireless card in the registry and it’s not been changed there either (there’s no key for ‘network address’)… [EDIT] Interestingly, there are two entries for the wireles card. the only bit that differs between the two is the ‘netcfginstanceid’ key.
I’m starting to wonder if I AM mistaken (but both my own intuition and the different numbers that came up on the router surely confirm it???)
More info. In device manager the driver name has a #2 at the end of it (second driver?) there’s no #1.
But the file for the driver (rtl8187.sys) was created, modified, and accessed on the 27th june 2008. So it isn’t a new driver.
Interesting.
The #2 may mean that you previously had another instance of that device in your config.
If your OS got really stupid, it might have seen the same device twice, then created a second device under device management. However, it almost never DELETES the original, now duplicate, device. If it did, however, that would explain your duplicated device with a #2 at the end.
The situation reeks of weird.
Even if the above has played out, your NIC really should still be on the same MAC.
Most likely cause, based on what I’ve seen in this thread, is a buggy network driver.
I’d say a little prayer, do a system restore point, and then delete the device in device management, installing it later after a reboot and giving it the newest driver out there for the device.
Hi Lobsang
Just to chime in that it is very unusual for the MAC to change but I’ve seen it happen with some bad firmware updates. I theorised that as the card sans driver is basically an empty RAM chip, when the driver inits and loads into the card RAM, some kind of update or just plain bad luck caused a different MAC.
Would you mind posting the first 4 bytes of the new MAC? Can you also say whether these 4 bytes have changed or not? This is just for interest but the IEEE assign vendors specific ranges of ethernet MACs. I’d be interested to know if your current MAC actually belongs to Realtek. There is also the case that Realtek may be rebadging, so the MAC never belonged to them to begin with.
Sorry that this isn’t helping fix your fault (but I assume you just set up another BT port forward range 
) but I’m interested in a possible root cause, and knowing whether the new MAC is essentially random would be good.
thanks,
t.
BT?
I didn’t need to re-create my forwards. Just re-create the fixed IP entry (for my new MAC address)
I’m not sure if the first four bytes had changed. I’ll forward them when I get home (Is that the first four digits?)
As mentioned before, the MAC is part of the firmware of you card and barring some sort of botched upgrade, will not change on it’s own.
However, there are ways to spoof an address to present whatever address you want to the network.
This link describes the easiest way to do it from within Windows.
Yes, giving him the first four digits (not including any dashes you may see) will give him what he wanted.
Well. I googled the first four. It gave me a list. of vendors. So I googled the first six. It gave me realtek, which is correct.
http://www.coffer.com/mac_find/?string=00%3AE0%3A4C
(00:E0:4C)
So Am I right in guessing the first four meant the first four after ‘00’?
Anyway. Since you’ve helped me established two things…
It has not been spoofed (not in the ways described in the linked article)
It does belong to Realtek.
I guess I’m satisfied that nothing sinister has happened. Maybe I WAS mistaken after all.
A byte is two hex digits.
But only the first three bytes are the Organizationally Unique Identifier. The wikipedia has all the details. What’s interesting is that the first byte indicates whether it’s a locally administered address (or IEEE assigned). Yours isn’t now. But maybe it used to be?