Using MAC address prefix AB:CD:EF

I'm trying to use tcprewrite to change the source MAC address of some packets. I deliberately chose the prefix AB:CD:EF that does not belong to any hardware manufacturer so that I can distinguish such packets from other real packets. The packets are played to a server via a Cisco switch.

I realized that my server can't capture any packets with the MAC prefix AB:CD:EF, but when I changed the prefix to 00:00:08, which belongs to Xerox, these packets can be captured.

Is this because the switch can tell that the AB:CD:EF MAC prefix is not valid and drops the packets?

Rayne

Posted 2011-10-19T08:29:28.367

Reputation: 479

Answers

0xAB is 10101011. Those last two bits signify locally-administered and multicast.

I expect that, and a poisoned ARP-cache, cause the symptoms you see.

See Wikipedia

If the least significant bit of the most significant address octet is set to 1, the frame will still be sent only once; however, NICs will choose to accept it based on different criteria than a matching MAC address: for example, based on a configurable list of accepted multicast MAC addresses. This is called multicast addressing.

The IEEE has assigned AC-DE-48 to “PRIVATE”. They use that as an example value in some of their documents.

RedGrittyBrick

Posted 2011-10-19T08:29:28.367

Reputation: 70 632

Most likely because there's no Ethernet interface with such MAC address. Try changing your MAC address to that and see what happens.

m0skit0

Posted 2011-10-19T08:29:28.367

Reputation: 1 317

I have tried that. Packets with the AB:CD:EF prefix aren't captured, but packets with the 00:00:08 prefix are. Is the switch intelligent enough to recognize invalid MAC prefixes? – Rayne – 2011-10-19T09:01:20.500

1That cannot be the issue because what if that prefix goes valid on the future? The switch would be useless. Check RedGrittyBrick's answer. – m0skit0 – 2011-10-19T09:45:46.820