This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I run wireshark and it captures packets 14% of my all traffic with src 00:00:00:00:00:00 dst 00:00:00:00:00:00 Protocol 0x0000 Length 60 Info Ethernet II please tell me why I'm getting these Packets.

asked 12 Feb '17, 02:33

Najam's gravatar image

Najam
6223
accept rate: 0%

edited 12 Feb '17, 11:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


Hello Najam

Welcome to ask.wireshark.org. Obviously the strange Ethernet frames consists of a series of zero bytes. These frame should not be seen for a number of reasons:

  • The source MAC address and destination MAC address is the same
  • The Ethertype 0x0000 could be interpreted as a frame length of zero
  • The switch should learn, that the source port for the frame is also the destination port. Therefore the frame should not be forwarded.

It is important to find out, if the frames are generated by one individual system, or if they are generated by multiple systems.

Solution 1: Only one system is causing the frames

If you have a managed switch I highly recommend to check system log and the status of switch. On a Cisco switch the most helpful command would be show mac address-table For a Cisco switch the output would look similar to this:

switch#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
...
   1    0000.0000.0000    DYNAMIC     Fa0/1
   1    0011.2233.4455    DYNAMIC     Fa0/2
...

The output should reveal the port, where the network frame entered the network. You might want to replace the network card or update the driver for the system, that is connected to the port.

Solution 2: Multiple systems are generating the frames

It could be, that multiple systems generate the frame. Again, a faulty driver would be the most likely root cause. This causes a lot of confusion for the switch: The forwarding engine would assume, that the MAC address 00-00-00-00-00-00 would be jumping from one port to another. This would be logged in the switches log buffer. The log file from the switch could also show a message like %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed x times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Fa0/1 in vlan x

The switch will always expect, that frames from any MAC address will constantly come in from the same port. Your system 00-11-22-33-44-55 will always be on port Fa 0/2, unless

  • The system is moved to a different port (so the old port goes into shut down) OR
  • the network topology changes (indicated by a bit in the BPDU frames that implement the spanning tree)

The whole network can become very unstable, if MAC addresses appear on different ports without a change in the spanning tree.

Solution 3: Faulty network equipment

Of course, it is also possible, that the switch generates the frames without reason. Please connect the suspicious computer to a different switch and verify, if the frames still show up.

Solution 4: Problem in the virtualization software

There seems to be a bug in certain VMware installations, that cause these frames. Please check this thread from 2008 in the VMware community

Good hunting

permanent link

answered 12 Feb '17, 09:46

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer helps me a lot thank you very much.

(12 Feb '17, 22:59) Najam
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×87
×4
×1

question asked: 12 Feb '17, 02:33

question was seen: 3,616 times

last updated: 12 Feb '17, 22:59

p​o​w​e​r​e​d by O​S​Q​A