Ask Your Question
0

Why are all remote MAC addresses HonHaiPr_85:c9:be (94:39:e5:85:c9:be)

asked 2020-08-26 06:45:33 +0000

ckeveny gravatar image

updated 2020-08-26 17:46:17 +0000

Guy Harris gravatar image

When I check packets from many addresses and I look at the remote host's Mac address I get this for totally unrelated websites:

Source: HonHaiPr_85:c9:be (94:39:e5:85:c9:be)
    Address: HonHaiPr_85:c9:be (94:39:e5:85:c9:be)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

This seems very unlikely. What's going on?

edit retag flag offensive close merge delete

Comments

Can you log into the Netgear to see what it's MAC address is set to?
Any chance MAC cloning was enabled? I would expect this to only affect the WAN (Internet Port) but worth checking to rule it out.

Chuckc gravatar imageChuckc ( 2020-08-26 16:28:32 +0000 )edit

The Netgear wireless gateway is set to 10.0.0.1, my workstation is 10.0.0.4 or 10.0.0,3; depending on which OS I've booted to. I will look in to MAC cloning, if that means what I think it does, anyway I'll find out. I know Ubuntu and my Kali machine can spoof MAC addresses so I know they're changeable or clone-able Here's a complete packet between me and Google: Frame 53: 353 bytes on wire (2824 bits), 353 bytes captured (2824 bits) on interface wlp3s0b1, id 0 Interface id: 0 (wlp3s0b1) Encapsulation type: Ethernet (1) Arrival Time: Aug 26, 2020 22:27:06.221401164 PDT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1598506026.221401164 seconds [Time delta from previous captured frame: 0.000885799 seconds] [Time delta from previous displayed frame: 0.000885799 seconds] [Time since reference or ...(more)

ckeveny gravatar imageckeveny ( 2020-08-27 05:39:58 +0000 )edit

Looks like HonHaiPr_85:c9:be (94:39:e5:85:c9:be) is the MAC address of your workstation 10.0.0.4
The original packet snippet in the question must have been from an outgoing packet.
Have you looked at what it's MAC address is (where to look would depend on which OS is booted)

Chuckc gravatar imageChuckc ( 2020-08-27 14:36:04 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2020-08-26 16:16:06 +0000

cmaynard gravatar image

As @grahamb mentioned, the MAC address could belong to the gateway, but if you want to know what IP address is associated with that MAC address, I'd recommend checking your arp cache. On Unix systems, just run arp and on Windows, run arp -a. Find the entry for 94:39:e5:85:c9:be, and you'll know what its IP address is.

If it's not the gateway, then it could be another device on your network According to Wikpedia, Hon Hai Precision Industry Co., Ltd. is traded as Foxconn Technology Group and "Notable products manufactured by Foxconn include the BlackBerry,[8] iPad,[9] iPhone 11, iPod,[10] Kindle,[11] Nintendo 3DS, Nokia devices, Xiaomi devices, PlayStation 3, PlayStation 4, Wii U, Xbox 360, Xbox One,[12] and ..."

edit flag offensive delete link more

Comments

Thank you. I thought Wireshark was supposed to pick up the remote host's MAC address.

This is the complete information from a packet which was going to google:

Frame 53: 353 bytes on wire (2824 bits), 353 bytes captured (2824 bits) on interface wlp3s0b1, id 0
    Interface id: 0 (wlp3s0b1)
    Encapsulation type: Ethernet (1)
    Arrival Time: Aug 26, 2020 22:27:06.221401164 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1598506026.221401164 seconds
    [Time delta from previous captured frame: 0.000885799 seconds]
    [Time delta from previous displayed frame: 0.000885799 seconds]
    [Time since reference or first frame: 6.937166950 seconds]
    Frame Number: 53
    Frame Length: 353 bytes (2824 bits)
    Capture Length: 353 bytes (2824 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet II, Src: Netgear_37:54:b8 ...
(more)
ckeveny gravatar imageckeveny ( 2020-08-27 05:33:31 +0000 )edit

This is the complete information from a packet which was going to google:

That packet was not going to Google, at least not directly. The destination IP address 10.0.0.4 is not a Google IP address but rather a private RFC1918 IP address.

I don't know anything about your network, but you might want to look at the arp cache or log into your Netgear router to find out what device that is.

cmaynard gravatar imagecmaynard ( 2020-08-27 06:47:23 +0000 )edit
add a comment
0

answered 2020-08-26 07:11:16 +0000

grahamb gravatar image

That is likely to be the MAC address of your Internet Gateway or router. Ethernet packet are point to point over the segment, from your NIC to the NIC of the next hop, which for packets to machines outside of your network, will be your gateway.

edit flag offensive delete link more

Comments

I see my Netgear router, that's on my end. The remote MAC seems to be coming back all the same. Do you think that maybe this is the not the MAC for the remote host, but maybe the first hop after my router, maybe the cable modem my router is connected to?

ckeveny gravatar imageckeveny ( 2020-08-26 07:15:49 +0000 )edit

How is your machine connected to your network, via a wired cable or a wireless access point?

The MAC address will be whatever you're connected to.

grahamb gravatar imagegrahamb ( 2020-08-26 07:37:47 +0000 )edit

I've a Linux workstation going wireless to a Netgear router, it is connected to a Charter Cable modem. Here's the complete informational section of a packet monitored between me and Google News:

Frame 53: 353 bytes on wire (2824 bits), 353 bytes captured (2824 bits) on interface wlp3s0b1, id 0
    Interface id: 0 (wlp3s0b1)
    Encapsulation type: Ethernet (1)
    Arrival Time: Aug 26, 2020 22:27:06.221401164 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1598506026.221401164 seconds
    [Time delta from previous captured frame: 0.000885799 seconds]
    [Time delta from previous displayed frame: 0.000885799 seconds]
    [Time since reference or first frame: 6.937166950 seconds]
    Frame Number: 53
    Frame Length: 353 bytes (2824 bits)
    Capture Length: 353 bytes (2824 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp:tls]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Ethernet ...
(more)
ckeveny gravatar imageckeveny ( 2020-08-27 05:35:19 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-08-26 06:45:33 +0000

Seen: 1,526 times

Last updated: Aug 26 '20

Related questions

DHCP request from a host to a DHCP server with the host having the same MAC address as that of the server

Tracking end to end MAC numbers across fire walls ...

How can I see what devices connect to what websites?

Why have some of my packets been sent to a MAC address that is not my Router?

Strange TCP syn/ack behavior

Is it ARP Spoofing?

local mac address capture filter?

Why Is There HTTP traffic?

MAC address without OUI

Identifying Application Information and MAC Addresses Using IPFIX Data