This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unknown Frame - mysterious mac address

0

We are having some strange activity on the network, with intermittent slowing down. Wireshark scans produce multiple results from the same source:

Ethernet II, Src: fe:80:00:00:00:00 (fe:80:00:00:00:00), Dst: 59:de:e6:c9:98:55 (59:de:e6:c9:98:55)

Any initial thoughts?

asked 26 Mar '14, 02:59

bl33pcode's gravatar image

bl33pcode
11112
accept rate: 0%

One Answer:

0

Neither of those addresses are well known addresses, so it could be

  • some special config in your local network setup, you don't know of
  • a broken device (switch, NIC, etc.) that just sends bogus frames and hence the unknown MAC addresses
  • someone playing tricks with you, like a local use who is 'testing' hacker tools

Please check the switch logs and CAM table of your switches to figure out the switch port where the sending device is attached to the switch. Wireshark won't be able to help you, unless you see some clear text messages in the frames that help to identify the sending device.

Regards
Kurt

answered 26 Mar '14, 09:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Mar '14, 09:03

Yeah, we can't identify the mac address atm.

will check the switches.

(26 Mar '14, 09:24) bl33pcode

Don't forget to look at the content (payload) of the frames!

Is it possible to post a sample on http://cloudshark.org ?

(26 Mar '14, 10:44) Kurt Knochner ♦