1

I can't find the device which is sending the ARP requests. The first three octets of the MAC address are 00ae13. But they are not assigned to a known manufacturer.

Does anybody have a clue what kind of device this could be?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
mreg
  • 11
  • 2
  • Do you run virtual machines in your network? – Purefan Sep 10 '15 at 07:41
  • Yes, a couple of esx servers and a lot of machines. – mreg Sep 10 '15 at 07:41
  • 1
    Im trying to find evidence of this but my **guess** is that a hypervisor needs to fake MAC address and is possibly leaving out the manufacturer, so what you see is just the actual device identifier and not the first 3 octets. I'll post again if I find something to support my guess – Purefan Sep 10 '15 at 07:45
  • No, it's sending all digits, I just pasted here the first 3. There are 6 digit groups as usual, – mreg Sep 10 '15 at 07:51
  • 00-ae-13-42-fb-11 – mreg Sep 10 '15 at 07:52
  • Ohh I see, so you just want to know the manufacturer then? – Purefan Sep 10 '15 at 07:54
  • Would be nice, but I dod not found it until now on well known mac identifier websites. – mreg Sep 10 '15 at 07:55
  • hehe thats the registered trademark symbol ® – Purefan Sep 10 '15 at 07:55
  • what do you mean? – mreg Sep 10 '15 at 07:58
  • in UTF16 0x00AE equals to the html entity `®` but if you have virtual machines I wouldn't be surprised if the mac addresses were just randomly generated – Purefan Sep 10 '15 at 08:01
  • As far as I could check all VMs have on all interfaces macs starting with 00:50. You meen that even if an interface have mac starting with 0050 itr can send arp with source address 00ae ? – mreg Sep 10 '15 at 08:03
  • nope, what i meant was that when the virtual NIC is created, the hypervisor may assign the MAC a non-existent manufacturer identifier. But if all your devices's MAC start with 00:50 I would look into MAC address spoofing, maybe related to this https://technet.microsoft.com/en-us/magazine/ff458341.aspx – Purefan Sep 10 '15 at 08:07
  • 2
    What I understood from the article, this phrase "You can override the virtual network adapter MAC address configuration using the NetworkAddress key in the virtual machine registry" is basically what I suspected, that on interface 0050 the machine can send out packets with source 00ae.. . Or I'm wrong? – mreg Sep 10 '15 at 08:16
  • That is my understanding as well – Purefan Sep 10 '15 at 08:39

1 Answers1

1

If you happen to use managed switch(es), you could log into your switch(es) and look into their forwarding table to see on what port of the switch is registered this mac address. You could then follow the trail up to its source.

The way to look at the forwarding table depends on the manufacturer of your switch(es). If your switch has a command line interface and you're familiar with terminal, try "show mac-address" (I know it to work on both my HP and Brocade switch). Else look at the Web GUI.

If your switch is not managed, or you don't have access to it, maybe you could find whose sending by capturing these arping packets on various places of your network: try sniffing the network using wireshark or tcpdump on suspicious VM, or on the physical network interface of your ESXi...

my 2 cents :)

CuriousFab
  • 301
  • 2
  • 5