|
Posted by Walter Roberson on August 13, 2005, 9:55 pm
If you were Registered and logged in, you could reply and use other advanced thread options
This is not a pure ethernet issue, but I couldn't think of which newsgroup
would be more specific.
I'm wondering if there is some (possibly Windows-specific) correlation between
multicast and ethernet MACs of the form
00:95:??:??:00:95 or
00:96:??:??:00:96
??
I've been having a heck of time trying to pin down the source of
some packets on my network.
All of my switches report seeing the MACs on the port that is their
uplink in the direction of our LAN router, and for at least half of the
switches, the MACs are pretty much always present (they appear and
disappear on other switches.) Most of the time the MACs are NOT in the
LAN router bridge or routing tables -- and when they do show up
(usually for short intervals) they show up against a variety of IPs.
After a fair bit of probing and port mirroring, I have been able to
see that the particular MAC I was probing is used as the source of
IGMP announcements for a few different IP addresses, sometimes mixed
together within a few minutes of each other, but more often in clumps
in which only one of the IPs is active on the MAC.
Several years ago I had a situation in which I had a few persistant
MACs that I could not trace down; I blamed the failure then on
the then-current equipment; after it was upgraded, I didn't notice
any futher tracking issues. Recently, though, I wrote new switch
probe tools that monitor for active MACs at regular intervals,
and I found one I couldn't seem to chase down. About an hour ago,
another showed up that hadn't ever been recorded before.
The interesting bit about these untraceable MACs, past and present,
is that they are all of the form mentioned above, 00:96:??:??:00:96
for the current ones, and 00:95:??:??:00:95 for one of the ones
historically. For example, I am chasing 00:96:E4:10:00:96 and
the one that showed up today is 00:96:E6:EC:00:96
The former of those is associated with a few common multicast groups,
such as 224.0.1.22, and the less common multicast group 235.80.68.83.
[One poster narrowed the latter down to Certificate Authority; no-one
else seems to know which part of the Windows NT family uses
that multicast IP.]
Does any of this sound familiar to anyone? Windows, multicast, IGMP,
[seemingly-] virtual MACs in the unicast space?
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
|
| Similar Threads | Posted | | ARP reply containing a multicast MAC OK? | March 19, 2007, 4:50 pm |
| Multicast pruning | July 2, 2008, 7:24 am |
| Multicast VLAN Id | July 14, 2008, 7:41 am |
| Multicast MAC and Unicast IP Address | August 18, 2005, 4:54 pm |
| Maximum MAC multicast filters? | October 5, 2005, 8:48 am |
| Multicast MAC in Source MAC Address Field | August 30, 2005, 5:13 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map