Mac address weirdness

Unanswered Question
Jan 6th, 2009


I've been fighting with this for a while, and I can't figure this out. I've got wireshark running on my laptop, and I'm noticing a ton of different mac addresses running IPX SAP and RIP. These mac addresses don't exist in the switch. The subnets that are affected are:

I change my mask to be and my system is in the subnet. I scanned all of the subnets using nmap so I can get the mac address back on them. After collecting these, I searched for the mac addresses that I'm getting in wireshark. There's about 50 - 100 different ones, but they all refer to printers (Ricoh, Lexmark, HP, IBM, Oki, etc.) I have wireshark open, search the text file that I created with nmap, and nothing. There's no match between nmap's findings and wireshark's report.

I'm at a total loss as to go about troubleshooting this. BTW, I've checked ALL of my switches ARP table, mac table, and I've checked my core routers mac and arp tables. The addresses don't exist. I don't believe this is attack of any sorts either, just an anomaly that I'm having a hard time pinpointing.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 01/06/2009 - 08:29

Hello John,

you see on wireshark /nmap IPX SAP and RIP IPX RIP.

ipx has no arp table and no ARP process the 48bits of host part are equal to the MAC address of the host.

So you cannot find any entry in ARP table that are IPv4 related

on the switch the MAC addresses should live for 300 seconds in the CAM table with default parameters.

see troubleshooting IPX

there can be some printers trying to advertise their services in IPX SAP messages.

These are ignored by all non novell devices.

Probably it is just legacy and not an attack.

Also last versions of netware can run over TCP.

Hope to help


John Blakley Tue, 01/06/2009 - 08:34

This is good information Giuseppe, but I guess my question is how do I stop them? All of my local printers are configured with IP being the only enabled protocol, and we don't run Novell at all. My concern is that there are a TON of different MACs, and since I can't find them in a switch anywhere, it makes it hard to find where the mac address belongs.

Thanks for the response!



This Discussion