01-06-2009 07:41 AM - edited 03-06-2019 03:16 AM
All,
I've been fighting with this for a while, and I can't figure this out. I've got wireshark running on my laptop, and I'm noticing a ton of different mac addresses running IPX SAP and RIP. These mac addresses don't exist in the switch. The subnets that are affected are:
10.1.0.0
10.2.0.0
10.3.0.0
10.4.0.0
I change my mask to be 255.0.0.0 and my system is in the 10.2.0.0 subnet. I scanned all of the subnets using nmap so I can get the mac address back on them. After collecting these, I searched for the mac addresses that I'm getting in wireshark. There's about 50 - 100 different ones, but they all refer to printers (Ricoh, Lexmark, HP, IBM, Oki, etc.) I have wireshark open, search the text file that I created with nmap, and nothing. There's no match between nmap's findings and wireshark's report.
I'm at a total loss as to go about troubleshooting this. BTW, I've checked ALL of my switches ARP table, mac table, and I've checked my core routers mac and arp tables. The addresses don't exist. I don't believe this is attack of any sorts either, just an anomaly that I'm having a hard time pinpointing.
Thanks,
John
01-06-2009 08:29 AM
Hello John,
you see on wireshark /nmap IPX SAP and RIP IPX RIP.
ipx has no arp table and no ARP process the 48bits of host part are equal to the MAC address of the host.
So you cannot find any entry in ARP table that are IPv4 related
on the switch the MAC addresses should live for 300 seconds in the CAM table with default parameters.
see troubleshooting IPX
http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1908.html
there can be some printers trying to advertise their services in IPX SAP messages.
These are ignored by all non novell devices.
Probably it is just legacy and not an attack.
Also last versions of netware can run over TCP.
Hope to help
Giuseppe
01-06-2009 08:34 AM
This is good information Giuseppe, but I guess my question is how do I stop them? All of my local printers are configured with IP being the only enabled protocol, and we don't run Novell at all. My concern is that there are a TON of different MACs, and since I can't find them in a switch anywhere, it makes it hard to find where the mac address belongs.
Thanks for the response!
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide