Fw: wrong/false duplicate MAC in nmap -sP listing

[Mihu RUCAREANU <mihu_rucareanu () hotmail com>]

________________________________
From: Mihu RUCAREANU <mihu_rucareanu () hotmail com>
Sent: December 11, 2020 12:21 AM
To: fyodor () nmap org <fyodor () nmap org>
Subject: wrong/false duplicate MAC in nmap -sP listing

Hi "Fyodor"-Lyon,
I'm an average Linux user, rather beginner and self-taught by trial-and-error, sometimes too perfectionist, but trying 
to be systematic nonetheless. I'm also an enthusiastic user of your program for detecting when my teenager kids sneak 
on the network behind my back. ;-)

While trying your program for the past couple of months on my home network composed of a few different OS and 
architectures, I think that lately I might have noticed a bug in the behaviour of Nmap that has crept-in since the last 
update (approximately a couple of weeks ago) from the official repositories in both Debian and Centos stable releases 
that affect the way how the latest network protocols are being interpreted in Nmap. First, I have to state that it all 
seemed to work quite well for my needs at the beginning, but lately all my Linux machines seem to report one 
false/wrong MAC address (usually the LAN one is falsely reported as identical-duplicate of the WIFI MAC) for laptops 
that have acquired two different IPs (one for the LAN and another for the WIFI interface) on the same network. Please 
see attached my edited examples from two of my machines (one Debian 10.7 and one Centos 7.9, both updated to the latest 
and current official releases) that falsely show identical MAC addresses for the different LAN and WIFI interfaces with 
their corresponding different IPs local network. (Please note the "yy:yy:yy:yy:yy:yy" MAC address that is consistently 
duplicated in both examples for a Toshiba laptop that has acquired two IPs - one for the LAN interface and one for the 
WIFI.)
It seems to affect my Ubuntu 20.04 machines as well.

Another worrisome behaviour of Nmap comes from the aspect of its inconsistency: both listing file reports are from a 
simple "nmap -sP" performed on the same local network at the same time, but one detects an Apple iPad and not the 
iPhone, while the other report does the opposite. As a user I have to combine the two of them to get a (maybe?) more 
complete report without being certain that I'm still missing a few from my youngsters still playing tricks on me. (I 
understand that the Debian's nmap version 7.70 was not the latest, but was still capable of discovering some of the 
hidden ones to the Centos' newest version 7.91 and vice-versa).

Thank you for your consideration,

Mihu

Attachment: nmap_bug_Centos_7p9.txt
Description: nmap_bug_Centos_7p9.txt

Attachment: nmap_bug_Debian_10p7.txt
Description: nmap_bug_Debian_10p7.txt

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/