This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Gratuitous ARP has unknown manufactures “Target MAC address

0

I have two 3Com switches (SuperStack 4 Switch 5500-El) that are sending out GARPs on a regular basis throughout the day. The weird thing is, besides the fact that they are GARPing regularly, is that the "Target MAC address" under the "Address Resolution Protocol (request/gratuitous ARP) is a mac address whose manufacturers octets are unknown. The "Target MAC address" is different for each of the switches. The switch located at IP 192.168.56.241 has ae:59:16:83:e9:c5 for its "Target MAC address" and The switch located at IP 192.168.56.242 has 81:41:0c:62:70:bb for its "Target MAC address" I thought that the mac address listed under "Target MAC address" was supposed to be a broadcast, 0.0.0.0 or ff.ff.ff.ff. Is this an indicator of malicious activity, or am I missing something obvious?

asked 25 Mar '16, 11:18

Bruce%20Garoutte's gravatar image

Bruce Garoutte
6113
accept rate: 0%


One Answer:

0

Maybe this article could help you: http://crnetpackets.com/2015/08/28/special-type-of-arp-packets/

And could you provide us a pcap with this packet?

answered 25 Mar '16, 12:20

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

The article pretty much sums up what I have read elsewhere, so I am still at a loss to explain this.

pcap can be retrieved from here

Thank you

(25 Mar '16, 12:36) Bruce Garoutte

I converted your answer to a comment. As it is more a comment, to my answer.

Yes I have no fast answer for this... Maybe the answer is at the system...

But at least we can see that the knows how a correct gratious arp does work

alt text

(25 Mar '16, 13:14) Christian_R

OK, thanks for the conversion. I'm not sure how to upload a picture here, so I attached it to the "Your Answer". If you open the packet, and peak inside, there is still the unknown mac address residing in the "Target MAC address" area. My concern is whether this might be a "man in the middle" type of attack signature since it (1) does not conform to the RFC and (2) the mac address of 81:41:0c:62:70:bb appears to not belong to any manufacturer as far as I could find.

(25 Mar '16, 13:31) Bruce Garoutte
(25 Mar '16, 13:31) Bruce Garoutte

This could be... You should find out if these special Gratious ARPs
has been sent by the 3COM devices or not...
If not...
You should search out these target mac devices in your network
(but maybe they are defined somewhere on the 3COM devices).

(25 Mar '16, 14:25) Christian_R

I thought that the mac address listed under "Target MAC address" was supposed to be a broadcast, 0.0.0.0 or ff.ff.ff.ff.

The "target MAC address" in the ARP part of the frame is supposed to be the same like the "destination MAC address" in the Ethernet header of the frame. So both should be the broadcast one in case of ARP requests (including GARP request) and both should be the same individual MAC address in case of ARP response (or of a request which is sent to an already known L3 target which can also happen).

However, if sender and target L3 (IPv4 in this case) addresses are the same, which is the case with gratuitous ARP, the target MAC address is not really relevant.

You cannot find any of your two weird addresses among manufacturer assigned prefixes because one of them has bit 1 of the first byte set (0xae & 0x2 = 0x2), meaning it is a privately assigned one, and the other one has bit 0 set (0x81 & 0x1 = 0x1) meaning it is a multicast address, yet multicast MAC addresses starting with 0x81 are currently not assigned for any purpose.

So I would suspect rather a bug of the switches than some malware running on them; however, there might be some other machine sending GARP and spoofing the MAC address of the switch as the source one, in an attempt to steal the traffic towards the admin interface of the switch (and probably even unaware that it was an admin interface of a switch). And there would have to be a bug in that malware, causing the target address to be this weird.

I'm afraid that in order to find out which of these two cases is true, you would have to shut down all ports of one of the switches, except a single one to which your sniffing machine would be connected, and see whether the corresponding GARP packets still come. If yes, the switch itself sends them; if not, start enabling the ports one by one to find out from which connected box they come.

(25 Mar '16, 15:32) sindy

Thanks for the suggestions. I have done just that. It appears that these switches do use GARP to ensure there is only one layer three device on the network. The unknown mac address does not exist on our network, nor anywhere on this planet according to the three Mac address look-ups I used, including Wiresharks. After reading the appropriate area in the setup manual, there appeared to not be a setting for the Target MAC address, so that part is still a mystery to me.

Thank you for all your help on this. If I find a reason for the unknown MAC, I'll update this post.

(28 Mar '16, 12:56) Bruce Garoutte
showing 5 of 7 show 2 more comments