6

While monitoring my office's network, I have seen a huge amount of traffic coming from devices whose MAC address manufacturer part (the three most significant octets) is 00:FF:01 I can't see the client part, but this prefix is showing ~50% more traffic than any other device from any other manufacturer.

I haven't been able to find who's the manufacturer of such a device, or whether is some kind of virtual device (all the queries out there return a No manufacturer found for that prefix)

I'm not even sure if ServerFault is the right place to ask this, but I'm running out of options. Does anyone knows what type of device is that? Are they virtual devices?

Thank you in advance.

EDIT 1:

Running WireShark I was able to find the whole MAC of one of these things: 00:FF:01:FF:02:FF (it really looks weird for a MAC address). For the last... 30 mins or so, only that particular MAC address seems to be sending traffic. I don't know for sure if all the hits I saw before (the ones where I could only see the manufacturer part) were coming from the same 00:FF:01:FF:02:FF, or if there's a possibility there were other devices with the same manufacturer 00:FF:01 but they're not transmitting now.

Community
  • 1
Savir
  • 169
  • 4
  • This may be a duplicate of a question, I have answered several months ago. Let me check, if I can find it again. – kasperd Dec 11 '14 at 00:47
  • @kasperd, If you have the answer, that'd be great, because it's driving me nuts... I'm leaning towards it being some kind of virtual device, but I haven't been able to confirm in any of the regular sources I know of to check Manufacturers' prefixes. – Savir Dec 11 '14 at 00:52
  • Remember it is possible these days for a MAC to be set to a specific value thus the manufacturer information would not be valid for anything. – mdpc Dec 11 '14 at 00:57
  • 1
    I found the question I had in mind. It is not an exact duplicate, but it sounds a bit similar. http://serverfault.com/questions/447220 Try to get a dump of the full Ethernet frame. It is possible the entire frame is corrupted, and what you are looking at is not even a MAC address. – kasperd Dec 11 '14 at 01:00
  • 3
    From what I can find, 00-FF-01 isn't in use by any of the common virtualization platforms. It also isn't a Multicast MAC address. – joeqwerty Dec 11 '14 at 01:05
  • 3
    Something else you might try if you've got managed switches is to interrogate the MAC address table of the switches to see which port or ports these MAC addresses are registered to. That might help you track down the source host or hosts (unless the devices with these MAC addresses are connecting wirelessly). – joeqwerty Dec 11 '14 at 01:22

1 Answers1

2

I'm just guessing, but we recently had storms of strange packets which Wireshark didn't understand, either. After a few days a coworker noticed that the packets make more sense and look like IPv6/Ethernet Multicast packets if you remove the first 16 bytes. (Seeing 33:33 somewhere later in the byte stream looked familiar...)

In our case it were Apple Thunderbolt displays with an integrated network adapter which caused these packets. Looks like a bug in their firmware. With those 16 bytes, the source MAC address always was 00:02:01:00:00:00 and the destination MAC address always was 00:00:00:00:b7:00 which both look suspiciously not-random.

So maybe you want to check if your packets make more sense, too, if you remove a few bytes from the beginning.

If not: Any chance that you can capture some of these packets and post them here, e.g. in pcap format?

Axel Beckert
  • 398
  • 2
  • 17