Ask Your Question
0

Ethernet II contains unrelated src address

asked 2023-06-21 20:50:26 +0000

awagner gravatar image

updated 2023-06-21 21:33:49 +0000

Guy Harris gravatar image

I've shown in yellow the src address that is unrelated to the selected packet. This address shows up in about 37% of my capture, again unrelated to the src listed in the packet selection. Should I be suspicious? Why would it be there?

Ethernet II, Src: 4130-JBH.JBHenderson.local (2c:b8:ed:2a:0f:14), Dst: 4662-JBH.JBHenderson.local (c4:cb:e1:0c:dd:e0)
    Destination: 4662-JBH.JBHenderson.local (c4:cb:e1:0c:dd:e0)
        Address: 4662-JBH.JBHenderson.local (c4:cb:e1:0c:dd:e0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)

[THIS IS THE UNRELATED SRC]
    **Source: 4130-JBH.JBHenderson.local (2c:b8:ed:2a:0f:14)
        Address: 4130-JBH.JBHenderson.local (2c:b8:ed:2a:0f:14)**
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)

[THIS IS WHAT IS SHOWN IN THE PACKET LISTING]
Internet Protocol Version 4, **Src: SJC-efz.ms-acdc.office.com (52.96.69.66), Dst: 4662-JBH.JBHenderson.local** (10.11.7.77)
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 1500
    Identification: 0xd892 (55442)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 243
    Protocol: TCP (6)
    Header Checksum: 0x1e8f [validation disabled]
    [Header checksum status: Unverified]
    Source Address: SJC-efz.ms-acdc.office.com (52.96.69.66)
    Destination Address: 4662-JBH.JBHenderson.local (10.11.7.77)
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-06-21 21:43:50 +0000

Guy Harris gravatar image

There is no guarantee that anything related to the source or destination MAC address of a packet will appear in, for example, the IPv4 or IPv6 headers of a packet. If you're fetching a web page from some server halfway around the world, the MAC address of that server (if it has one) has long since been lost in the process of routing the packet to the machine on which you're running your browser.

I.e., SJC-efz.ms-acdc.office.com and 4662-JBH.JBHenderson.local are not necessarily on the same LAN segment, or on on LAN that are bridged together, so there may be one or more routers between them through which the IPv4 packet in question was sent. 4130-JBH.JBHenderson.local is probably one such router - and is probably on your network, given that its name is very similar to the name of the machine that received the packet.

I.e., it may be the name of a DSL or cable modem, or firewall, or some such device. Wireshark's OUI lookup tool shows that the first 3 bytes of the device's MAC address, 2c:b8:ed, belong to a company named SonicWall, who make hardware and software to provide cybersecurity, so there's probably a SonicWall device on your network that's inspecting traffic between machines on your network and the Internet.

edit flag offensive delete link more

Comments

Thank you for the quick reply. However, if 4130 or a network device like a router or firewall I would’ve known that and that would’ve made some sense. However, 4162 is just another workstation on the same subnet as 4662 which brings my question as to why would it even be in that packet?

awagner gravatar imageawagner ( 2023-06-21 22:50:10 +0000 )edit

However, 4162 is just another workstation on the same subnet as 4662 which brings my question as to why would it even be in that packet?

From the *shark output you put in your question, it's not in that packet - not as a MAC source or destination, and not as an IPv4 source or destination. The only *-JBH.JBHenderson.local" hosts shown there are 4662 and 4130.

Guy Harris gravatar imageGuy Harris ( 2023-06-22 06:53:06 +0000 )edit

In the capture results, it shows the traffic being between SJC-efz.ms-acdc.office.com and 4662-JBH. However when I expand that line in the capture, I see the content shown above which contains the src of 4130 in ETH II.

awagner gravatar imageawagner ( 2023-06-22 13:55:39 +0000 )edit

However when I expand that line in the capture, I see the content shown above which contains the src of 4130 in ETH II.

That is a very strong indication that the traffic passed through 4130. I suggest you try to find the device - probably a device from SonicWall, given the OUI - with the MAC address 2c:b8:ed:2a:0f:14.

Guy Harris gravatar imageGuy Harris ( 2023-06-22 19:42:17 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-06-21 20:50:26 +0000

Seen: 180 times

Last updated: Jun 22 '23

Related questions

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

How to capture ethernet traffic?

Cannot access Ethernet interfaces with Wireshark Portable unless I install full WinPCap?

How to see the FCS in Ethernet frames?

Why do I see Ethernet frames that exceed the MTU + Ethernet header size?

How to capture packets using Wireshark in a switched ethernet network?

icmp fragmentation

Problems while attempting to capture wireless packets

What is the trailer in the Ethernet frame and why is the FCS incorrect?

File upload stalling, many "bad" TCP packages