Ask Your Question

Edgerouter ER-X-SFP: Leaking MAC packets

asked 2020-03-30 20:47:01 +0000

thotha gravatar image

updated 2020-03-31 05:51:38 +0000

Jaap gravatar image

Dear Wireshark professionals

My ER-XSFP with the latest firmware 2.0.8-hotfix1 does sometime do some MAC violation of its WAN MAC using other ones. Not sure if the ones from the other eth ports or even from devices within my network. From my ISP, I only get a file with date/time of the violation but NO MAC which did trigger that. So I have to do my own research to either proof the Edgerouter it self as the failure or the SFP fibre module or something else.

So my intention is to: - capture only the outgoing traffic on my WAN port (eth5) except all traffic with source MAC f0:9f:c2:61:36:96 of my WAN port - Use Wireshark on my Mac Mini Server to run a 24-48 h test with accessing the Edgerouter ER-XSFP to capture the traffic data under above rule - If a violation is recognized, only record one minute before and after that occurence - In Wireshark every hour do start a new *.pcapng capture log file

So far I'm able to access the Edgerouter from within Wireshark Mac OS lates Version through GUI - "SSH remote capture: sshdump". I did use the command

/usr/sbin/tcpdump -i eth5 -w - not ether host f0:9f:c2:61:36:96 and not ether broadcast and not ether multicast

but it doesn't exclude any src/dest data from MAC f0:9f:c2:61:36:96.

Does anyone have a suggestion how I can get the required data to solve that whole problem.

Thank you to anyones help and suggestion.

Regards Thomas

edit retag flag offensive close merge delete


You say: "I did use the command /usr/sbin/tcpdump -i eth5 -w - not ether ..." Where did you use this command in sshdump? Is that the remote capture command you entered in the configuration dialog?

Jaap gravatar imageJaap ( 2020-03-31 06:37:58 +0000 )edit

I did enter it in "Interface Options: SSH remote capture: sshdump" in tab "Capture" in filed "Remote capture command" with flag "Use sudo on the remote machine".

thotha gravatar imagethotha ( 2020-04-02 12:00:46 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-03-31 06:17:22 +0000

Chuckc gravatar image
sh-4.2# /usr/sbin/tcpdump -i eth0 -Q out not ether src xx:xx:xx:xx:xx:xx

image description

edit flag offensive delete link more


Dear bubbasnmp

Thank you for your feedback. I'll give it a try. Hope it will bring up some results, as I don't have a simple ethernet hub to place it in between the ER-XSFP WAN <-> Fibre ETH Adapter to get cleaner results.

I'll update here.

thotha gravatar imagethotha ( 2020-03-31 11:19:34 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-03-30 20:47:01 +0000

Seen: 103 times

Last updated: Mar 31