This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Suspicious packets with all-zero Ethernet header

0

I run wireshark and it captures packets 14% of my all traffic with src 00:00:00:00:00:00 dst 00:00:00:00:00:00 Protocol 0x0000 Length 60 Info Ethernet II please tell me why I'm getting these Packets.

asked 12 Feb '17, 02:33

Najam's gravatar image

Najam
6223
accept rate: 0%

edited 12 Feb '17, 11:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

Hello Najam

Welcome to ask.wireshark.org. Obviously the strange Ethernet frames consists of a series of zero bytes. These frame should not be seen for a number of reasons:

  • The source MAC address and destination MAC address is the same
  • The Ethertype 0x0000 could be interpreted as a frame length of zero
  • The switch should learn, that the source port for the frame is also the destination port. Therefore the frame should not be forwarded.

It is important to find out, if the frames are generated by one individual system, or if they are generated by multiple systems.

Solution 1: Only one system is causing the frames

If you have a managed switch I highly recommend to check system log and the status of switch. On a Cisco switch the most helpful command would be show mac address-table For a Cisco switch the output would look similar to this:

switch#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports


… 1 0000.0000.0000 DYNAMIC Fa0/1 1 0011.2233.4455 DYNAMIC Fa0/2 …

The output should reveal the port, where the network frame entered the network. You might want to replace the network card or update the driver for the system, that is connected to the port.

Solution 2: Multiple systems are generating the frames

It could be, that multiple systems generate the frame. Again, a faulty driver would be the most likely root cause. This causes a lot of confusion for the switch: The forwarding engine would assume, that the MAC address 00-00-00-00-00-00 would be jumping from one port to another. This would be logged in the switches log buffer. The log file from the switch could also show a message like %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed x times)Packet received with invalid source MAC address (00:00:00:00:00:00) on port Fa0/1 in vlan x

The switch will always expect, that frames from any MAC address will constantly come in from the same port. Your system 00-11-22-33-44-55 will always be on port Fa 0/2, unless

  • The system is moved to a different port (so the old port goes into shut down) OR
  • the network topology changes (indicated by a bit in the BPDU frames that implement the spanning tree)

The whole network can become very unstable, if MAC addresses appear on different ports without a change in the spanning tree.

Solution 3: Faulty network equipment

Of course, it is also possible, that the switch generates the frames without reason. Please connect the suspicious computer to a different switch and verify, if the frames still show up.

Solution 4: Problem in the virtualization software

There seems to be a bug in certain VMware installations, that cause these frames. Please check this thread from 2008 in the VMware community

Good hunting

answered 12 Feb ‘17, 09:46

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

Your answer helps me a lot thank you very much.

(12 Feb ‘17, 22:59) Najam