Ask Your Question
0

Why have some of my packets been sent to a MAC address that is not my Router?

asked 2021-03-16 22:29:15 +0000

AG111 gravatar image

My MAC address of my router is (be:69:31:35:30:43). I wanted to see how many packets I have that do not include the MAC address of my router in the source or in the destination of any of my packets. I put a filter and found out that 5 do not include the router MAC address.

I wanted to know the reason that each of these packets have been sent to a MAC address that is not the router. The MAC addresses are:

https://drive.google.com/file/d/1Mi9p...

1) Frame 55: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: QuantaCo_76:4d:83 (00:16:36:76:4d:83)

2) Frame 56: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: QuantaCo_76:4d:83 (00:16:36:76:4d:83)

3) Frame 57: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: QuantaCo_76:4d:83 (00:16:36:76:4d:83)

4) Frame 543: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: IPv4mcast_01 (01:00:5e:00:00:01)
Source: Dell_ff:d8:c4 (84:2b:2b:ff:d8:c4)

5) Frame 544: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) Destination: IPv6mcast_01 (33:33:00:00:00:01) Source: Dell_ff:d8:c4 (84:2b:2b:ff:d8:c4)

edit retag flag offensive close merge delete

Comments

Was the capture done on the router or the outside interface?
If you apply a display filter of !(ip.addr == 138.37.73.232) those packets are from the next upstream router?
Is there a Dell machine in your systems that matches the 543/544 source MAC?

Chuckc gravatar imageChuckc ( 2021-03-17 00:51:25 +0000 )edit

The capture was done on an outside interface and I have been sent this packet to analyse it. I wanted to know the reason that each of these packets have been sent to a MAC address that is not the router.

AG111 gravatar imageAG111 ( 2021-03-17 05:15:40 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-03-18 19:35:25 +0000

Chuckc gravatar image

Frames 55, 56 and 57 are the same packet sent three times.
In the Frame Protocol Preferences, enable Generate an MD5 hash ... to see that they all have a hash of 90cbc8f1b307827eea099e202cab6eaa.
The router (or something on the other side of the router) would like to contact 138.37.73.45 which, assuming a subnet mask of /24, puts it on the 138.37.73.0/24 subnet. The router makes an ARP Request to map the IP address 138.37.73.45 to a MAC address to communicate at layer 2. That device doesn't respond to the first ARP, the router waits one second then asks again, waits another one second then asks the third (final) time.
ARP Requests are sent to the Broadcast address ff:ff:ff:ff:ff:ff.

The only frames for eth.addr == 84:2b:2b:ff:d8:c4 are the Multicast queries in frames 543 and 544.

IANA MAC ADDRESS BLOCK

IANA allocates addresses under the IANA OUI (00-00-5E) as explained in 
[RFC7042]. Unicast addresses under the IANA OUI start 
with 00-00-5E, while multicast addresses under the IANA OUI start with 
01-00-5E. In the lists below, these initial 3 bytes are omitted for 
brevity. As described in [RFC7042], 48-bit MAC addresses 
in the range 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF are used for IPv6 multicast.
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-03-16 22:29:15 +0000

Seen: 1,263 times

Last updated: Mar 18 '21