FBI blocking fails if IP has two non-terminated MAC end hosts in NCIS.
It should never happen in practice, but under rare circumstances it is possible for NCIS to have two non-terminated end hosts for one IP address and two MAC addresses.
Case #1) An ARP record is bouncing between two MACs for one IP from a misconfigured system.
Case #2) Two different systems (with their own MAC addresses) are (trying) to use the same IP address.
The current blocking code only assumes that one and only one non-terminated end host can be found and tracebacks if multiple end host records are found.
#1 Updated by Michael Zalokar about 4 years ago
Comments about the problem put into the code:
bash-4.1$ cvs commit tissue_core/RELEASE_NOTES tissue_core/TissueCoreImpl/BlockImpl.py tissue_core/TissueCoreImpl/EventImpl.py tissue_core/TissueEvent/DetectedData.py RELEASE_NOTES
Checking in tissue_core/RELEASE_NOTES;
new revision: 1.107; previous revision: 1.106
Checking in tissue_core/TissueCoreImpl/BlockImpl.py;
/cvs/cd/tissue/tissue_core/TissueCoreImpl/BlockImpl.py,v <-- BlockImpl.py
new revision: 1.41; previous revision: 1.40
Checking in tissue_core/TissueCoreImpl/EventImpl.py;
/cvs/cd/tissue/tissue_core/TissueCoreImpl/EventImpl.py,v <-- EventImpl.py
new revision: 1.38; previous revision: 1.37
Checking in tissue_core/TissueEvent/DetectedData.py;
/cvs/cd/tissue/tissue_core/TissueEvent/DetectedData.py,v <-- DetectedData.py
new revision: 1.24; previous revision: 1.23
bash-4.1$ cvs commit ncis_hw_factory/NcisHwFactory/HwFactory.py HwFactory.py
Checking in ncis_hw_factory/NcisHwFactory/HwFactory.py;
new revision: 1.23; previous revision: 1.22