Ask Your Question
0

MAC Locally administered address - Resolved names

asked 2019-02-09 05:56:04 +0000

x70teo gravatar image

updated 2019-02-09 07:34:50 +0000

Hello,

i recently found out about the concept of MAC Locally vs Universally administered MAC addresses.

When analyzing a Wireshark trace from my WiFi, which captured my IPhone connecting to the network, i noticed that the phone used a locally administered MAC address for some ARP messages but the resolved name from WireShark showed MS-NLB-PhysServer (nothing to do with Iphone i guess...).

After reading on the web i thought that this resolution comes from some default Wireshark lookup tables, like the manuf file. However i could not find such entry in the file. Nether in the ether file, the other place where resolution can be defined.

So i wonder where does such name resolution come from and if there is any other configuration file in Wireshark that defines it.

As a bonus question :-)... If somebody could explain why I see the IPhone using two different MAC addresses (one is the universal/BIA and the other one is this locally administered MAC) it would be great. By the way the two source MAC addresses are obviously related, since they have the same last 6 digits, like in the example here below:

  • Universal BIA => a8:be:27:xx:yy:zz
  • Local => 02:0f:b5:xx:yy:zz

Thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-02-09 08:24:15 +0000

Jaap gravatar image

These resolutions come from the well-known-addresses file, called 'wka'. And if it was 02:0F:B5:xx:yy:zz it must have said 'MS-NLB-VirtServer'. As for the use of the MAC addresses in ARP messages you would have to specify where in the ARP message the occurred.

edit flag offensive delete link more

Comments

Jaap, thanks a lot for pointing me in the right direction, i was not aware of this wka file.

I checked it and the mapping is coherent with what i see in the trace. There is no specific entry for 02:0f:b5 and the closest one is:

02-0f-00-00-00-00/16 MS-NLB-PhysServer-15

It seems that all the 02-... entries only differentiate between the first 4 digits, so i have no specific mapping.

And in my table 'MS-NLB-VirtServer' is mapped to 02-BF-..., not to 02-0F

Anyway in the end this is just mapping and you solved my question, as i could not explain where the mapping was coming from.

As for the use of this locally admin [email protected] had a better look to the trace and this is what i have noticed:

  • when the Iphone connect to the main SSID it uses its BIA address

  • when the Iphone connect to the ...

(more)
x70teo gravatar imagex70teo ( 2019-02-09 09:26:36 +0000 )edit

You're right (didn't have coffee yet :) ) It matches Server-15, not the virtual server address. Note the netmark (/16) after the address, which signifies how many leading bits are relevant. Devices may use these addresses to obfuscate their identity, to hamper tracking.

Jaap gravatar imageJaap ( 2019-02-09 10:42:03 +0000 )edit

Devices may use these addresses to obfuscate their identity, to hamper tracking.

That's exactly what iOS is doing; see, for example, this iMore article.

Guy Harris gravatar imageGuy Harris ( 2019-02-10 03:31:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-02-09 05:56:04 +0000

Seen: 106 times

Last updated: Feb 09