Ask Your Question
0

Ghost MAC Address

asked 2026-01-09 15:26:17 +0000

BCS-User gravatar image

We use Unifi UDM Pro for firewall and local network control for our customers. At one location, I have a device showing up in the firewall blocked traffic that is generating >100 blocked hits a min according to the Unifi monitoring system. Unifi shows the MAC address as 90:d0..... but no IP address.

Also using Advance IP scanner, this mac address does not show up

Unsing Wireshark with a filter of ether host 90:d0:...... Nothing shows up.

Doing a complete capture for 5 min and then doing a find in the capture using the MAC address, nothing shows up.

What am I missing? Is there a way to find this device on the network.

And for what its worth, I was doing a test on the local network for the new Kimwolf infection. The test for the public IP address of this network shows up on the Kimwolf ip list of addresses that the Kimwolf server has conversed with. I am trying to determine "IF" any local devices have been compromised.

Thanks, any help is appreciated.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2026-01-14 08:30:24 +0000

SYN-bit gravatar image

I have no experience with the UDM Pro, but here is my €0,02:

  • Not sure how and where you were capturing, but in switched networks you do not see all traffic on all ports, so it is very likely that this traffic, even if it is in your network, will not show up on all parts of the network. See: https://wiki.wireshark.org/CaptureSet...
  • Does the UDM show on which Interface it is seeing this traffic? It looks like you can make a packet capture on that specific interface on the UDM itself, see https://help.ui.com/hc/en-us/articles...
  • As OUI's consist of 3 octets, it would be nice if you can share the first 3 octets of the mac-address instead of the first two. But based on the first two, it looks like it could be from HUMAX Co (90:d0:92:xx:xx:xx), which can be found in Wireshark by going to tools -> Mac Address Blocks
  • HUMAX Co does seem to be related to TV setop boxes

I hope this will give you some direction on finding the device and why it is sending out a lot of traffic that is blocked by your UDM, even though this traffic could be totally benign (though it could also not be benign).

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2026-01-09 15:26:17 +0000

Seen: 107 times

Last updated: Jan 14