OSQA is unmaintained. Help us figure out where to go from here.

I am on a wifi network. I am using a wifi adapter to connect to a wifi hotspot. In the captured packets, I see a lot of packets to and from an unknown mac address. If I search the mac address's vendor I get no vendor.

628 114.574792  manufacturer_xx:xx:xx   1a:e1:3d:ca:4c:ac   ARP 42  Who has 192.xxx.xxx.1? Tell 192.xxx.xxx.xxx
629 114.588296  1a:e1:3d:ca:4c:ac   manufacturer_xx:xx:xx   ARP 42  192.xxx.xxx.1 is at 1a:e1:3d:ca:4c:ac

The manufacturer_xx:xx:xx is my wifi adapter. 192.xxx.xxx.1 is the default gateway ip and 192.xxx.xxx.xxx is the machine ip. The interesting fact is 1a:e1:3d:ca:4c:ac is not the mac of the default gateway. The unknown mac is communicating a lot with the network. I have a pcapng file of 29,206 packets. If I apply display filter, eth.dst == 1a:e1:3d:ca:4c:ac, I see around 40.1% packets went to the unknown mac.

asked 30 Aug, 03:39

mgtheboss's gravatar image

accept rate: 0%

That looks like a locally administered MAC, as the U/L bit is set (this is the second bit of the first octet, i.e. 1a -> 0001 1010). As such there is no manufacturer.

Wireshark should be informing you of the fact that the MAC list locally administered, what does it show in the packet tree? An example is show here.

permanent link

answered 30 Aug, 04:13

grahamb's gravatar image

grahamb ♦
accept rate: 22%

edited 30 Aug, 04:15

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Aug, 03:39

question was seen: 271 times

last updated: 30 Aug, 04:15

p​o​w​e​r​e​d by O​S​Q​A