This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why do I see this unknown mac address in the captured packets?

0

I am on a wifi network. I am using a wifi adapter to connect to a wifi hotspot. In the captured packets, I see a lot of packets to and from an unknown mac address. If I search the mac address's vendor I get no vendor.

628 114.574792  manufacturer_xx:xx:xx   1a:e1:3d:ca:4c:ac   ARP 42  Who has 192.xxx.xxx.1? Tell 192.xxx.xxx.xxx
629 114.588296  1a:e1:3d:ca:4c:ac   manufacturer_xx:xx:xx   ARP 42  192.xxx.xxx.1 is at 1a:e1:3d:ca:4c:ac

The manufacturer_xx:xx:xx is my wifi adapter. 192.xxx.xxx.1 is the default gateway ip and 192.xxx.xxx.xxx is the machine ip. The interesting fact is 1a:e1:3d:ca:4c:ac is not the mac of the default gateway. The unknown mac is communicating a lot with the network. I have a pcapng file of 29,206 packets. If I apply display filter, eth.dst == 1a:e1:3d:ca:4c:ac, I see around 40.1% packets went to the unknown mac.

asked 30 Aug '17, 03:39

mgtheboss's gravatar image

mgtheboss
11113
accept rate: 0%


One Answer:

0

That looks like a locally administered MAC, as the U/L bit is set (this is the second bit of the first octet, i.e. 1a -> 0001 1010). As such there is no manufacturer.

Wireshark should be informing you of the fact that the MAC list locally administered, what does it show in the packet tree? An example is show here.

answered 30 Aug '17, 04:13

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 30 Aug '17, 04:15