Hello, I have used Wireshark for a few days and I noticed each connection is related to a Mac Address : Cisco_ec:ba:92 (00:0d:29:ec:ba:92). It appears as destination if I initiate the connection or as source if not. I contacted my ISP (Videotron) and they don't identify their equipment by their mac addresses and they don't seem to understand what is going on. I'm intrigued. I'm actually connected via modem (Aris) so I have nothing to do with Cisco. Is there any explanation ? Thank you for your help. Danielle Massé asked 04 Aug '11, 15:50  coccinaile |
5 Answers:
All IP packets to/from IP addresses outside of your local subnet will be sent to/received from your default gateway. So the symptoms you describe would suggest that the device with mac address 00:0d:29:ec:ba:92 is your default gateway. You can check that by looking up which IP adress is your default gateway address (assuming you're using windows: ipconfig in a cmd window). You can then check which mac address is listed for your gateway address with "arp -a" (also in the cmd window). I am sure this will point to the cisco mac address. As you say you don't have any cisco device in your network, my bet is that your Arris cable modem is in bridging mode, which means it is not your local gateway, it just forwards your packets to a device at your provider which acts as your default gateway. This is a normal setup and nothing to worry about :-) answered 05 Aug '11, 01:30  SYN-bit ♦♦ Hello, you're quite right arp -a gives me the very same Mac Address.Is there a way to find out this bridgind mode ? Thank you very much. (06 Aug '11, 09:06) coccinaile Hello, you're quite right arp -a gives me the very same Mac Address for my ip gateway. Thank you very much. (06 Aug '11, 10:42) coccinaile (converted your "answer" to a "comment", please see the FAQ) Well, the fact that you get the Mac-Address of a device that is not in your network, but behind the Cable modem is kind of proof that it is in bridging mode :-) (07 Aug '11, 06:56) SYN-bit ♦♦ |
I just read about the man in the middle intervention and there is some similarity her : intercepting the traffic between two ip addresses using another Mac Address ? Thanks answered 07 Aug '11, 14:58 coccinaile If there is some man-in-the-middle attack going on, you will see arp packets that you normally don't see. (07 Aug '11, 23:36) SYN-bit ♦♦ |
Hello, in this case, would you be kind enough to tell me where and what I should be looking for in order to be certain ? Thanks a lot for your help answered 08 Aug '11, 06:15 coccinaile |
P.S. My computer is a Mac OS 10.6 answered 08 Aug '11, 06:16 coccinaile |
Update : there is a change in the wireshark report : instead of displaying the mac address as source and destination like it did, it displays the ip of the ISP (and the mac address) as source or destination so I guess there is nothing to be concerned about : the mac address belongs to the ISP. answered 08 Aug '11, 07:10 coccinaile Please read the FAQ, especially the first item, which indicates that this is not a discussion forum. If you want to add more information or clarify something, either edit your question or do so with a comment block, as I'm doing now, and not as a new answer, which you've now done 4 times incorrectly. If this Q&A format doesn't really fit, then please try the wireshark developer and/or user mailing lists instead. (09 Aug '11, 18:49) cmaynard ♦♦ |
I.e., for packets being sent by your machine to your cable modem to initiate a connection, the destination MAC address is a Cisco address?