Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unknown OUI's...

From: "Phillip Nelson" <pnelson () arrow com>
Date: Mon, 9 Nov 2009 10:53:48 -0500
Dan, I tried that. I even looked for static, permanent and system mac's.
These mac's weren't in a table anywhere. We have strictly a hub and
spoke network with no redundancies. I thought of a topology change.
There were no spanning tree packets to indicate a topology change.
 
Oy.
 
Thanks for the quick response.
 
 
Phil Nelson
Arrow ECS
Infrastructure Engineer, Senior
28600 Fountain Pkwy
Solon, Ohio 44139
 
email- pnelson () arrow com
w-216-332-3405
c-330-524-0463
f- 440-498-5178
 

________________________________

From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of
Dan_Wood () 3com com
Sent: Monday, November 09, 2009 10:41 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Unknown OUI's...


You may want to try: 

show mac-address-table address <MAC Address: XX.XX..XX.XX.XX.XX> 

This should give you the interface.  Since the packets are unicast you
may have had some sort of topology change.  This would cause the
mac-address table aging to become very short (STP forwarding delay?) and
cause flooding until convergence.  Normally, convergence would be
somewhat short but it can take a long time if you have a flacky fiber
run that are causing link up/downs (Topology changes). 

Thanks, 

Daniel Wood  Network Engineer | 3Com Corporation 
  * 350 Campus Dr. M/S 2.5.258, Marlborough, MA 01752 
  * Dan_Wood () 3Com com
<mailto:Dan_Wood () 3Com com?subject=Dan%20is%20the%20best!>  
  * Service and Support FAQ <http://servicefaq.3com.com/>  & Forums
<http://servicefaq.3com.com/> . 




From:        <Tim.Poth () bentley com> 
To:        <wireshark-users () wireshark org> 
Date:        11/09/2009 10:26 AM 
Subject:        Re: [Wireshark-users] Unknown OUI's... 
Sent by:        wireshark-users-bounces () wireshark org 

________________________________




  
This looks like Crestron 
http://www.crestron.com/products/show_products.asp?type=commercial
<http://www.crestron.com/products/show_products.asp?type=commercial>  
  
Heidelbe has a few more hits so good luck there 
http://standards.ieee.org/cgi-bin/ouisearch
<http://standards.ieee.org/cgi-bin/ouisearch>  
  
I am way out of date on my cisco but I think you can look at what mac
addresses are attached to what ports, might take some time but should be
able to track down the port, unplug it and wait for someone to complain
about something not working. 
  
Good luck 
tim 
  
From: wireshark-users-bounces () wireshark org [
mailto:wireshark-users-bounces () wireshark org
<mailto:wireshark-users-bounces () wireshark org> ] On Behalf Of Phillip
Nelson
Sent: Monday, November 09, 2009 10:14 AM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] Unknown OUI's... 
  
I just experienced a Vlan saturation event where the following source
and destination MAC address were in all the packets causing the
saturation. Does anyone recognize the OUI's of these two addresses? I
have tried to look them up and can't find them anywhere. 
  
The network has a 6509 for its core and 30 switches connected by fiber.
Of the 30 switches, 11 are 4003's. Of the 4003's, 5 were affected by the
storm and only two were participating in the storm. The trace was taken
from the Cisco 6509 and the two participating Cisco 4003's. The
broadcast storm was exactly the same between the two switches. We have
ruled out all devices connected to the switches. We cannot find the MAC
addresses anywhere on the network. We stopped the storm by resetting all
the ports on the two 4003's. 
  
  
Heidelbe_ab:99:6f        Crestron_eb:ac:cf             0x883d
Ethernet II 
  
Phil Nelson 
Arrow ECS 
Infrastructure Engineer, Senior 
28600 Fountain Pkwy 
Solon, Ohio 44139 
  
email- pnelson () arrow com <mailto:pnelson () arrow com>  
w-216-332-3405 
c-330-524-0463 
f- 440-498-5178 
 
________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
<http://www.wireshark.org/lists/wireshark-users> 
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
<https://wireshark.org/mailman/options/wireshark-users> 
            
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
<mailto:wireshark-users-request () wireshark org?subject=unsubscribe>  

Please consider the environment before printing this e-mail.
________________
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster () 3com com. 



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: