Why are all remote MAC addresses HonHaiPr_85:c9:be (94:39:e5:85:c9:be)
When I check packets from many addresses and I look at the remote host's Mac address I get this for totally unrelated websites:
Source: HonHaiPr_85:c9:be (94:39:e5:85:c9:be)
Address: HonHaiPr_85:c9:be (94:39:e5:85:c9:be)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
This seems very unlikely. What's going on?
Can you log into the Netgear to see what it's MAC address is set to?
Any chance MAC cloning was enabled? I would expect this to only affect the WAN (Internet Port) but worth checking to rule it out.
The Netgear wireless gateway is set to 10.0.0.1, my workstation is 10.0.0.4 or 10.0.0,3; depending on which OS I've booted to. I will look in to MAC cloning, if that means what I think it does, anyway I'll find out. I know Ubuntu and my Kali machine can spoof MAC addresses so I know they're changeable or clone-able Here's a complete packet between me and Google: Frame 53: 353 bytes on wire (2824 bits), 353 bytes captured (2824 bits) on interface wlp3s0b1, id 0 Interface id: 0 (wlp3s0b1) Encapsulation type: Ethernet (1) Arrival Time: Aug 26, 2020 22:27:06.221401164 PDT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1598506026.221401164 seconds [Time delta from previous captured frame: 0.000885799 seconds] [Time delta from previous displayed frame: 0.000885799 seconds] [Time since reference or ...(more)
Looks like
HonHaiPr_85:c9:be (94:39:e5:85:c9:be)
is the MAC address of your workstation10.0.0.4
The original packet snippet in the question must have been from an outgoing packet.
Have you looked at what it's MAC address is (where to look would depend on which OS is booted)