Hello, I was using Wireshark and I noticed some odd DNS addresses and a strange MAC Address when my computer was at rest. I'm not sure why this happens: After these requests there are a string of ICMPv6 packets and router advertisements. I don’t understand why that happens. Second, in these same packets, there’s an Ethernet section that lists the source address and destination, but in both cases it lists the mac addresses. The thing is, the 2nd mac address doesn’t exist. It starts with f6:4b:2a, which doesn’t correspond to a vendor, and my router’s mac address starts with f4. There are also ARP packets where this same nonexistent MAC address connects to my computer. It says: Thank you for the help! asked 28 Oct ‘16, 07:29  lm044 edited 28 Oct ‘16, 07:37  grahamb ♦ |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Are you connected to a cable modem by any chance?
If you look at the dissection of the “nonexistent” MAC address in Wireshark, you’ll see the following:
Source: f6:4b:2a:xx:xx:xx Address: f6:4b:2a:xx:xx:xx …. ..1. …. …. …. …. = LG bit: Locally administered address …. …0 …. …. …. …. = IG bit: Individual address (unicast)As Microsoft Windows WLAN drivers were (and maybe still are) unable to understand several SSIDs on a single MAC address, some wireless routers which supported the multi-SSID feature have got several globally unique MAC addresses per unit, while others have got just a single globally unique MAC address and “clone” other ones from it by changing the first or last bits and changing the LG bit of all the clones to 1.
Could this be the case, i.e. is the “nonexistent” MAC address otherwise similar to the one printed on your router’s label, differing in just the last octet?
From the wording of your Question, I wasn’t even sure whether you actually use WiFi ;-) The idea was mainly to illustrate that in a significant number of cases, locally administered MAC addresses are actually derived from the globally unique ones assigned to routers while they were manufactured.
It depends on what you mean by “change”. You should see different MAC addresses for different SSIDs which are configured on your router simultaneously. Therefore:
replacing one SSID with another one doesn’t change the MAC address
adding another SSID does add another MAC address.
I don’t know your ISP’s habits, but it can often be seen these days that if you buy an (especially cable-) ISP-provided router, it comes pre-configured with
one SSID which any customer of the same ISP can use while visiting you, knowing his own passphrase,
another SSID which is used for Voice over IP devices,
yet another SSID which you use for your own non-VoIP devices.
Nope.
This is what I’ve seen everywhere so far, due to the fact that at least older Microsoft Windows wireless clients couldn’t cope with two SSIDs sharing the same MAC address.
As you say that both your SSIDs share the same MAC address, it seems your router behaves different. But in that case, I’m slightly surprised that it bothers to create a locally administered address for this purpose.
If you can see more SSIDs in the air, you can also check their MAC addresses. But if the router uses any other SSIDs than the two you’ve set up yourself, you would see them on the same channel and with the same signal strength like your two.
Thank you for your help and for answering my questions. I’m teaching myself more about networks and how this stuff works together. I didn’t know about locally administered addresses and I’ll look into why the router does that too.