Showing results for 
Search instead for 
Did you mean: 

IMC spoofing IP Addresses ?

Honored Contributor

IMC spoofing IP Addresses ?


I have a customer who is monitoring several HP/Avaya switches with IMC. The switches are on remote routed subnets, some simply routed, other routed by firewalls.
In the firewall logs however, they have noticed IP spoofing from the IMC subnet.
After analysis and packet traces, it appeared that IMC itself is not only trying the send icmp echo requests with its own IP address, but also with a source IP address from the subnet of the managed devices.
For example:  IMC has IP, the remote device has IP, connected by firewall/router. With a wireshark trace on the IMC, we see IMC is sending icmp echo request with source IP e.g. to the device. We see similar behavior for devices in other subnets, e.g. for switch with IP, IMC would use source IP
The trace actually shows that the source MAC address of the device is the IMC server.

We have already disabled the dismanping on the IMC configuration.
This is an IMC Enterprise installation on Windows Server on an ESX host (trial license).

Of course the firewall team does not like this, since they get plenty of log messages about ip spoofing.
Has anyone experienced this already, does anyone know why IMC would be doing this ?

Thank you,Peter.

Frequent Advisor

Re: IMC spoofing IP Addresses ?

Very strange. I'm sure you have already checked, whether there are multiple IP Addresses assigned to the iMC host or not?

Aaron Paxson
Honored Contributor

Re: IMC spoofing IP Addresses ?

Hi Aaron,


Thanks for your reply (I have also posted this request on , I will sync the outcome)


Yes, only 1 IP assigned.

It really seems to be looping through all possible subnets (making up /24 subnet himself) and sending with some random source subnet IP the echo requests (but always based on an IP of a managed host).


Could it be trying to discover hosts with a mismatched subnet mask ? (the remote host will be sending an arp request, so that can/could be picked up by IMC or another routing device (and then queried by IMC via snmp arp tables)) ?


It could be doing smart things, but I do not understand it, and more important, I would need to know how to turn it off ...


Best regards,Peter