This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Odd DNS Addresses, Unknown Router MAC Address

0

Hello, I was using Wireshark and I noticed some odd DNS addresses and a strange MAC Address when my computer was at rest.

I'm not sure why this happens:

Source: 10.0.0.3 Destination: cdns01.comcast.net Protocol: DNS Info: Standard Query PTR 6.d.f.4.b.9.e.f.f.f.a.2.b.4.4.f.2.f.f.1.1.0.2.c.4.c.0.0.1.0.6.2.ip6.arpa

Source: cdns01.comcast.net Destination: 10.0.0.3 Protocol: DNS Info: Standard Query response No such name PTR 6.d.f.4.b.9.e.f.f.f.a.2.b.4.4.f.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa

After these requests there are a string of ICMPv6 packets and router advertisements. I don’t understand why that happens.

Second, in these same packets, there’s an Ethernet section that lists the source address and destination, but in both cases it lists the mac addresses. The thing is, the 2nd mac address doesn’t exist. It starts with f6:4b:2a, which doesn’t correspond to a vendor, and my router’s mac address starts with f4.

There are also ARP packets where this same nonexistent MAC address connects to my computer.

It says:

[nonexistent MAC address] to [my computer mac address], who has 10.0.0.3 tell 10.0.0.1
[my mac address] to [nonexistent mac address], 10.0.0.3 is at [my mac address]

Thank you for the help!

asked 28 Oct ‘16, 07:29

lm044's gravatar image

lm044
6113
accept rate: 0%

edited 28 Oct ‘16, 07:37

grahamb's gravatar image

grahamb ♦
19.8k330206

Are you connected to a cable modem by any chance?

(28 Oct ‘16, 08:28) Jaap ♦
1

If you look at the dissection of the “nonexistent” MAC address in Wireshark, you’ll see the following:

Source: f6:4b:2a:xx:xx:xx Address: f6:4b:2a:xx:xx:xx …. ..1. …. …. …. …. = LG bit: Locally administered address …. …0 …. …. …. …. = IG bit: Individual address (unicast)

As Microsoft Windows WLAN drivers were (and maybe still are) unable to understand several SSIDs on a single MAC address, some wireless routers which supported the multi-SSID feature have got several globally unique MAC addresses per unit, while others have got just a single globally unique MAC address and “clone” other ones from it by changing the first or last bits and changing the LG bit of all the clones to 1.

Could this be the case, i.e. is the “nonexistent” MAC address otherwise similar to the one printed on your router’s label, differing in just the last octet?

(28 Oct ‘16, 14:20) sindy
1

From the wording of your Question, I wasn’t even sure whether you actually use WiFi ;-) The idea was mainly to illustrate that in a significant number of cases, locally administered MAC addresses are actually derived from the globally unique ones assigned to routers while they were manufactured.

if I changed to a different SSID then I would switch to a new MAC?

It depends on what you mean by “change”. You should see different MAC addresses for different SSIDs which are configured on your router simultaneously. Therefore:

  • replacing one SSID with another one doesn’t change the MAC address

  • adding another SSID does add another MAC address.

I don’t know your ISP’s habits, but it can often be seen these days that if you buy an (especially cable-) ISP-provided router, it comes pre-configured with

  • one SSID which any customer of the same ISP can use while visiting you, knowing his own passphrase,

  • another SSID which is used for Voice over IP devices,

  • yet another SSID which you use for your own non-VoIP devices.

(29 Oct ‘16, 02:42) sindy

do you have any thoughts on the DNS?

Nope.

I figured that implied that the cloned mac address would correspond to one SSID and another mac address would correspond to another SSID.

This is what I’ve seen everywhere so far, due to the fact that at least older Microsoft Windows wireless clients couldn’t cope with two SSIDs sharing the same MAC address.

As you say that both your SSIDs share the same MAC address, it seems your router behaves different. But in that case, I’m slightly surprised that it bothers to create a locally administered address for this purpose.

Now, are you saying that beyond these two Wifi networks, there are possibly more SSIDs

If you can see more SSIDs in the air, you can also check their MAC addresses. But if the router uses any other SSIDs than the two you’ve set up yourself, you would see them on the same channel and with the same signal strength like your two.

(30 Oct ‘16, 08:45) sindy

Thank you for your help and for answering my questions. I’m teaching myself more about networks and how this stuff works together. I didn’t know about locally administered addresses and I’ll look into why the router does that too.

(30 Oct ‘16, 19:30) lm044