multicast, MAC ending with 00:96 ?
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
multicast, MAC ending with 00:96 ?

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Ethernet
Author Message
Walter Roberson
Guest
Posted: Sat Aug 13, 2005 9:55 pm    Post subject: multicast, MAC ending with 00:96 ? Reply with quote
This is not a pure ethernet issue, but I couldn't think of which newsgroup
would be more specific.


I'm wondering if there is some (possibly Windows-specific) correlation between
multicast and ethernet MACs of the form

00:95:??:??:00:95 or
00:96:??:??:00:96
??


I've been having a heck of time trying to pin down the source of
some packets on my network.

All of my switches report seeing the MACs on the port that is their
uplink in the direction of our LAN router, and for at least half of the
switches, the MACs are pretty much always present (they appear and
disappear on other switches.) Most of the time the MACs are NOT in the
LAN router bridge or routing tables -- and when they do show up
(usually for short intervals) they show up against a variety of IPs.

After a fair bit of probing and port mirroring, I have been able to
see that the particular MAC I was probing is used as the source of
IGMP announcements for a few different IP addresses, sometimes mixed
together within a few minutes of each other, but more often in clumps
in which only one of the IPs is active on the MAC.


Several years ago I had a situation in which I had a few persistant
MACs that I could not trace down; I blamed the failure then on
the then-current equipment; after it was upgraded, I didn't notice
any futher tracking issues. Recently, though, I wrote new switch
probe tools that monitor for active MACs at regular intervals,
and I found one I couldn't seem to chase down. About an hour ago,
another showed up that hadn't ever been recorded before.

The interesting bit about these untraceable MACs, past and present,
is that they are all of the form mentioned above, 00:96:??:??:00:96
for the current ones, and 00:95:??:??:00:95 for one of the ones
historically. For example, I am chasing 00:96:E4:10:00:96 and
the one that showed up today is 00:96:E6:EC:00:96
The former of those is associated with a few common multicast groups,
such as 224.0.1.22, and the less common multicast group 235.80.68.83.
[One poster narrowed the latter down to Certificate Authority; no-one
else seems to know which part of the Windows NT family uses
that multicast IP.]


Does any of this sound familiar to anyone? Windows, multicast, IGMP,
[seemingly-] virtual MACs in the unicast space?
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Ethernet All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB