2 IP Addresses for 1 mac-address

today i was surprise that my handy with eOS has 2 IP Addresses for the same MAC-Address.
If I have a look on the Sys Info of the OS by the settings I read the IP, only this one.

But if i scan my home Ethernet then i observed 2 for the same device with same Mac and same host-name. 2002 ms SM-G975F.fritz.box [n/a] D6:2B:DB:F8:DB:0A [n/a filtered ports] 2001 ms SM-G975F.fritz.box [n/a] D6:2B:DB:F8:DB:0A 80,443,8080

The one with 128 has filtered ports with 80,443,8080. And sometimes it not appears on the Ipscanner.
Do some one have an Idea what’s going on? Or explain to me what I might not have understand?
Or should I be careful for any malware?
Thanks very much for any answer or tipps.


Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

being able to run tcpdump on a router is very helpful. In absence you could install afwall+ on-device and see what is offering those ports.

Thank you for your feedback.
tcpdump would not be easy the os of it is closed.
I admit that i didn’t try to do it because of the closed sw, and i’ve not so much time to spend for it.
I’ll give a look on afwall, and will give a feedback after…

@Manoj could you maybe ask by the devs if it’s a normal behaviour of the system? If there is a software part which may required this behaviour with secured ports.
I think about the fictive position or other security sw parts like the ip filtering or the tracker filter and others?

I observed that the second IP is not constantly active, sometimes it “disappears” by scanning.
The point is that no parts of system info in settings report something about this IP…

the moment the router sees two IPs for your device, run a adb shell on-device and check if the second ip shows up in “ip addr”. If so, with “adb root” enabled on a dev build you could look at packets or check what process pid/uid utilizes the ip.

maybe is a stupid question, but is not possible to check it on the device itself by using a command line app?
I’ve no idea what’s for an app it could be.

For example by sailfish OS if the user activate the developer mode, this mode allows to use a command line tool and use on it all the available linux/unix commands.
That would be perfect for my case too. no need to install or reinstall on pc this part or ask me if it really works or not…

absolutely, you can do that. If not for termux, there’s a built-in terminal app you can enable in the developer options

didn’t find the built-in terminal under the dev-options. I installed termux, but as it happened it see only one IP address.

But what’ strange is by further investigate under the about menu of telephone settings.
I may read the real mac address of the phone, and under the sub-menu called “address Mac wifi” “registered networks” (not sure if it’s like this in English language).
Then I see the 2 possible networks at home, the conventional 2,4khz and the 5khz that the ip address with mac address D6:2B:DB:F8:DB:0A is a fictive one by the 5khz which is most of the time closed.
But the ip address with 128 is on the 2,4khz network but with an other fictive mac address.

With termux it’s impossible to run the ip addr it need a further package called termux-tools or iprout2.
It advise then to install it with "pkg install termux-tools, but it don’t works.

Using ifconfig with or without option -a can not list all, because of permission denied on /proc/net/dev/

I’m not sure but I feel that in someway the device is sometimes connected to the both wlan 2,4khz & 5khz parallely.
Today is difficult to catch it, it happened so rarely and so short…
I’ll try to observe further the next days…

ah, dualband router, explains the second ip lease. Now to understand filtered ports… netguard can also log traffic (a pro feature?).

Dualband here too, with 2 SID (“WiFi networks”). According to my WiFi access point logs, only one IP address was used by each device. Devices are sometimes switching from 5GHz to 2.4GHz as these are mesh networks with some areas poorly covered.
Although this may be very uncommon, you may ask FritzBox support if your router’s DHCP deliver different IP addresses for 5GHz and 2.4GHz.
For the record, I don’t use any kind of VPN or “Hide my address” of Advanced Privacy.

As ports that are opened on your secondary address, it may be some kind of web or proxy server… Maybe embedded in an app?
When the address is active, what gives pointing a web browser to it, on every open port?

Also, I found Ping & Net app very usefull for network debugging.

hello both, many thanks for your explanations and tool suggestions.
hmm dual band and mesh functions could be an interesting supposition for the behavior.
the switch between 2,4 & 5ghz is less I think, my motivation in house was to separate to groups of device to dispatch constantly in each wlan typ, and shall not switch.
That’s the theorie, then I’d like to see the practice and hope that the behaviour is not from a bug or a kind of backdoor or spyware.
Want to have a look on mesh concept, but first I wanted to get the system info on device, and that’s not that easy like in Linux desktop OS.
The point is, there are other android devices in network, and none of them has this behavior. But that’s some old Os versions, and they have not this security level and privacy stuff like in eOS…

That why is a little bit strange for me.

An other point that I forgot to tell too. The router hold the all the former IP address from a device.
And my s10+ get all possible addresses between 0 &255 which were not attributed.
At beginning of the year i deleted all of them and set that the dhcp function attributes always the same ip to the s10. but some days after, I saw that it has used all possible ip addresses again.
quite strange.

nothing especially, but after thinking could be the built it cloud client, or the mail app 443 is not a port for imap? but would be strange to use an other Ip address for it…
That’s why my thought was more focused to this fictive position functionality or the ip hidding stuff…

I’ll investigate further this weekend.

Have nice time and good weekend

If your S10+ was still connected to the WiFi network, it’s OK. DHCP includes a renewal mechanism, to help devices keeping the address they already have.

No, 443 is the port for HTTPS (80 for HTTP, 8080 doesn’t have a fixed assignment, it is often used for proxies or administration interfaces).
For the reference: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers.

Whatever the client software you consider it should not open ports on any device, because it’s supposed to have only outgoing connections. Opening a port is for incoming connections, for a server software.

Wish you a very good week-end, too.

yes correct thanks, i’ve mistaken with 143 of imap and not verified my comment… my bad sorry

This topic was automatically closed after 60 days. New replies are no longer allowed.