Ask Your Question
0

Why have some of my packets been sent to a MAC address that is not my Router?

asked 2021-03-16 22:29:15 +0000

AG111 gravatar image

My MAC address of my router is (be:69:31:35:30:43). I wanted to see how many packets I have that do not include the MAC address of my router in the source or in the destination of any of my packets. I put a filter and found out that 5 do not include the router MAC address.

I wanted to know the reason that each of these packets have been sent to a MAC address that is not the router. The MAC addresses are:

https://drive.google.com/file/d/1Mi9p...

1) Frame 55: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: QuantaCo_76:4d:83 (00:16:36:76:4d:83)

2) Frame 56: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: QuantaCo_76:4d:83 (00:16:36:76:4d:83)

3) Frame 57: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: QuantaCo_76:4d:83 (00:16:36:76:4d:83)

4) Frame 543: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Destination: IPv4mcast_01 (01:00:5e:00:00:01)
Source: Dell_ff:d8:c4 (84:2b:2b:ff:d8:c4)

5) Frame 544: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) Destination: IPv6mcast_01 (33:33:00:00:00:01) Source: Dell_ff:d8:c4 (84:2b:2b:ff:d8:c4)

edit retag flag offensive close merge delete

Comments

Was the capture done on the router or the outside interface?
If you apply a display filter of !(ip.addr == 138.37.73.232) those packets are from the next upstream router?
Is there a Dell machine in your systems that matches the 543/544 source MAC?

Chuckc gravatar imageChuckc ( 2021-03-17 00:51:25 +0000 )edit

The capture was done on an outside interface and I have been sent this packet to analyse it. I wanted to know the reason that each of these packets have been sent to a MAC address that is not the router.

AG111 gravatar imageAG111 ( 2021-03-17 05:15:40 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-03-18 19:35:25 +0000

Chuckc gravatar image

Frames 55, 56 and 57 are the same packet sent three times.
In the Frame Protocol Preferences, enable Generate an MD5 hash ... to see that they all have a hash of 90cbc8f1b307827eea099e202cab6eaa.
The router (or something on the other side of the router) would like to contact 138.37.73.45 which, assuming a subnet mask of /24, puts it on the 138.37.73.0/24 subnet. The router makes an ARP Request to map the IP address 138.37.73.45 to a MAC address to communicate at layer 2. That device doesn't respond to the first ARP, the router waits one second then asks again, waits another one second then asks the third (final) time.
ARP Requests are sent to the Broadcast address ff:ff:ff:ff:ff:ff.

The only frames for eth.addr == 84:2b:2b:ff:d8:c4 are the Multicast queries in frames 543 and 544.

IANA MAC ADDRESS BLOCK

IANA allocates addresses under the IANA OUI (00-00-5E) as explained in 
[RFC7042]. Unicast addresses under the IANA OUI start 
with 00-00-5E, while multicast addresses under the IANA OUI start with 
01-00-5E. In the lists below, these initial 3 bytes are omitted for 
brevity. As described in [RFC7042], 48-bit MAC addresses 
in the range 33-33-00-00-00-00 to 33-33-FF-FF-FF-FF are used for IPv6 multicast.
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-03-16 22:29:15 +0000

Seen: 1,263 times

Last updated: Mar 18 '21

Related questions

How do I see data usage per device connected to a router.

DHCP request from a host to a DHCP server with the host having the same MAC address as that of the server

How to find the make and model of a local router? [closed]

How to detect any attempt of connecting to my wifi using wireshark ?

Tracking end to end MAC numbers across fire walls ...

Trying to Find Out What's Overloading My Modem/Router

How can I see what devices connect to what websites?

Why are all remote MAC addresses HonHaiPr_85:c9:be (94:39:e5:85:c9:be)

can wireshark monitor only my router capturing all internet traffic for all devices connected, not just the computer wireshark is running on?

Router still sending out requests despite being unplugged.