Unknown Frame - mysterious mac address


We are having some strange activity on the network, with intermittent slowing down. Wireshark scans produce multiple results from the same source:

Ethernet II, Src: fe:80:00:00:00:00 (fe:80:00:00:00:00), Dst: 59:de:e6:c9:98:55 (59:de:e6:c9:98:55)

Any initial thoughts?

Neither of those addresses are well known addresses, so it could be

  • some special config in your local network setup, you don't know of
  • a broken device (switch, NIC, etc.) that just sends bogus frames and hence the unknown MAC addresses
  • someone playing tricks with you, like a local use who is 'testing' hacker tools

Please check the switch logs and CAM table of your switches to figure out the switch port where the sending device is attached to the switch. Wireshark won't be able to help you, unless you see some clear text messages in the frames that help to identify the sending device.


Kurt Knochner
Yeah, we can't identify the mac address atm.

will check the switches.

Don't forget to look at the content (payload) of the frames!

Is it possible to post a sample on ?

