I know I have printers that are broadcasting ipx packets. I've turned off the ones that I could, but now I have a new problem. I'm seeing several macs from a wireshark capture that is broadcasting, but in my 3750, I see those mac addresses being seen on the port that the router is connected to. If I look at the mac address table on the router, I don't have any listed. How can I go about further troubleshooting this? I have the mac address, but I'm not able to get an IP from it (unless someone knows of a trick with different software).
Since you know the MAC address go to the router and do the following.
1. show arp | inc xxxx.xxxx.xxxx (the MAC address you are looking up..note: This is case sensitive)
2. Mark down the IP Address and VLAN number if there is one
3. Based on the IP address or VLAN Number go to the appropriate switch and do the following...or traceroute using that IP address you found
4. show mac-add dyn | inc xxxx.xxxx.xxxx (the MAC address you are looking up..note: This is case sensitive)
5. If the equipment you are looking for is still connected and on you will now know the Interface (Port)
Hope this helps
Thanks for the response. I've done that, but there's nothing listed on the switch.
You are sure the MAC address you have is a printer...correct? How many printers do you have? Do you have snmp, dns, wins, on...and do you need those running? We had a simular issue and I needed to turn off those services as I did not need them.
Well, to be honest, not 100% sure. It could be another device, but when I'm watching wireshark, I get a ton of packets for IPX/SAP, so I assume it's printers/copiers that have IPX enabled. I do have a lot of devices that have snmp, dns, and wins on, but those protocols show up as themselves. I'm seeing IPX/SAP and RIP (which we don't use). I'm not having any luck in tracking down what they actually belong to though. :-)
Go to this website and plug in the MAC address and it will tell you what company it belongs to which might help.
I've done this, and most of them are coming back printers. They also correlate to what I'm seeing in wireshark:
Internetwork Packet eXchange
Length: 96 bytes
Transport Control: 0 hops
Packet Type: IPX (0x00)
Destination Network: C42D8206 (0xC42D8206)
Destination Node: Broadcast (ff:ff:ff:ff:ff:ff)
Destination Socket: SAP (0x0452)
Source Network: C42D8206 (0xC42D8206)
Source Node: Hewlett-_0c:e2:05 (00:10:83:0c:e2:05)
Source Socket: SAP (0x0452)
Wow....interestingly enough, I converted the source network and it comes back with a:
22.214.171.124 as an address. I don't have that address at all. I'm going to convert some more, and see if there's any correlation.
Any other ideas?
Well, I only found the one packet like that. Everything else is reporting that the Source network and Socket is unknown. This is frustrating because I have several "printer-type" nodes listed:
Ricoh (different macs)
OkiElect (Have a feeling it's an okidata printer)
Tektronic (printer possibly?)
All of these "nodes" are broadcasting IPX/SAP packets.
What I had to do was go to each printer and turn it off. I did it through our printserver or went in via the web to the printer and made the changes.