Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
2
Replies

Mac address weirdness

John Blakley
VIP Alumni
VIP Alumni

‎01-06-2009 07:41 AM - edited ‎03-06-2019 03:16 AM

All,

I've been fighting with this for a while, and I can't figure this out. I've got wireshark running on my laptop, and I'm noticing a ton of different mac addresses running IPX SAP and RIP. These mac addresses don't exist in the switch. The subnets that are affected are:

10.1.0.0

10.2.0.0

10.3.0.0

10.4.0.0

I change my mask to be 255.0.0.0 and my system is in the 10.2.0.0 subnet. I scanned all of the subnets using nmap so I can get the mac address back on them. After collecting these, I searched for the mac addresses that I'm getting in wireshark. There's about 50 - 100 different ones, but they all refer to printers (Ricoh, Lexmark, HP, IBM, Oki, etc.) I have wireshark open, search the text file that I created with nmap, and nothing. There's no match between nmap's findings and wireshark's report.

I'm at a total loss as to go about troubleshooting this. BTW, I've checked ALL of my switches ARP table, mac table, and I've checked my core routers mac and arp tables. The addresses don't exist. I don't believe this is attack of any sorts either, just an anomaly that I'm having a hard time pinpointing.

Thanks,

John

HTH, John *** Please rate all useful posts ***
Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-06-2009 08:29 AM

Hello John,

you see on wireshark /nmap IPX SAP and RIP IPX RIP.

ipx has no arp table and no ARP process the 48bits of host part are equal to the MAC address of the host.

So you cannot find any entry in ARP table that are IPv4 related

on the switch the MAC addresses should live for 300 seconds in the CAM table with default parameters.

see troubleshooting IPX

http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1908.html

there can be some printers trying to advertise their services in IPX SAP messages.

These are ignored by all non novell devices.

Probably it is just legacy and not an attack.

Also last versions of netware can run over TCP.

Hope to help

Giuseppe

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Giuseppe Larosa

‎01-06-2009 08:34 AM

This is good information Giuseppe, but I guess my question is how do I stop them? All of my local printers are configured with IP being the only enabled protocol, and we don't run Novell at all. My concern is that there are a TON of different MACs, and since I can't find them in a switch anywhere, it makes it hard to find where the mac address belongs.

Thanks for the response!

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card