We recently started to monitor our servers and found that our network interfaces drop several packages per minute. The following investigation showed that those are always packages in the following format:
00:9e:1e:[...] (oui Unknown) > 34:db:fd:[...] (oui Unknown), ethertype Unknown (0xa0a0), length 60:
0x0000: 0015 0101 0101 0101 0101 0101 0101 0101 ................
0x0010: 0101 0101 0101 0101 0101 0101 0101 0101 ................
0x0020: 0101 0101 0101 0101 0101 0101 0101 ..............
There are 4 different senders, the target is always the same. The Mac-Vendor is Cisco and the second data byte varies a little (14, 15, 17, 18 - I think I never saw 16).
We use Cisco switches (Cisco SF220-24P) and also APs, but as far as I could find, the MACs do not match.
Google didn't get me anything useful. The ethertype could be Cisco's White Rabbit stuff, but there is no reason something like that should be active in our network. Here someone found similar packages: https://wiki.gavowen.ninja/doku.php?id=ubiquiti:edgerouter but without any more conclusion.
Those packages do not really harm us, but they shouldn't be there (I guess) and we would like to find out why there are here or what they are!?
I'm not sure, what more data I could provide or where else to start, as those packages are all we have to explore. Using the Cisco SF220's Webinterface didn't reveal anything interesting (but to be honest, there's a lot too see and I couldn't find any fitting logs).
