Cutting down on broadcasts from printers

Unanswered Question
Jan 5th, 2009


I know I have printers that are broadcasting ipx packets. I've turned off the ones that I could, but now I have a new problem. I'm seeing several macs from a wireshark capture that is broadcasting, but in my 3750, I see those mac addresses being seen on the port that the router is connected to. If I look at the mac address table on the router, I don't have any listed. How can I go about further troubleshooting this? I have the mac address, but I'm not able to get an IP from it (unless someone knows of a trick with different software).



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
burleyman Mon, 01/05/2009 - 10:49

Since you know the MAC address go to the router and do the following.

1. show arp | inc xxxx.xxxx.xxxx (the MAC address you are looking up..note: This is case sensitive)

2. Mark down the IP Address and VLAN number if there is one

3. Based on the IP address or VLAN Number go to the appropriate switch and do the following...or traceroute using that IP address you found

4. show mac-add dyn | inc xxxx.xxxx.xxxx (the MAC address you are looking up..note: This is case sensitive)

5. If the equipment you are looking for is still connected and on you will now know the Interface (Port)

Hope this helps


John Blakley Mon, 01/05/2009 - 10:52


Thanks for the response. I've done that, but there's nothing listed on the switch.



burleyman Mon, 01/05/2009 - 11:10

You are sure the MAC address you have is a printer...correct? How many printers do you have? Do you have snmp, dns, wins, on...and do you need those running? We had a simular issue and I needed to turn off those services as I did not need them.


John Blakley Mon, 01/05/2009 - 11:21

Well, to be honest, not 100% sure. It could be another device, but when I'm watching wireshark, I get a ton of packets for IPX/SAP, so I assume it's printers/copiers that have IPX enabled. I do have a lot of devices that have snmp, dns, and wins on, but those protocols show up as themselves. I'm seeing IPX/SAP and RIP (which we don't use). I'm not having any luck in tracking down what they actually belong to though. :-)

Thanks Mike!


John Blakley Mon, 01/05/2009 - 11:47


I've done this, and most of them are coming back printers. They also correlate to what I'm seeing in wireshark:

Internetwork Packet eXchange

Checksum: 0xffff

Length: 96 bytes

Transport Control: 0 hops

Packet Type: IPX (0x00)

Destination Network: C42D8206 (0xC42D8206)

Destination Node: Broadcast (ff:ff:ff:ff:ff:ff)

Destination Socket: SAP (0x0452)

Source Network: C42D8206 (0xC42D8206)

Source Node: Hewlett-_0c:e2:05 (00:10:83:0c:e2:05)

Source Socket: SAP (0x0452)

John Blakley Mon, 01/05/2009 - 11:57

Wow....interestingly enough, I converted the source network and it comes back with a: as an address. I don't have that address at all. I'm going to convert some more, and see if there's any correlation.

Any other ideas?



John Blakley Mon, 01/05/2009 - 12:03

Well, I only found the one packet like that. Everything else is reporting that the Source network and Socket is unknown. This is frustrating because I have several "printer-type" nodes listed:

Ricoh (different macs)

OkiElect (Have a feeling it's an okidata printer)

Tektronic (printer possibly?)





All of these "nodes" are broadcasting IPX/SAP packets.



burleyman Mon, 01/05/2009 - 12:08

What I had to do was go to each printer and turn it off. I did it through our printserver or went in via the web to the printer and made the changes.



This Discussion