Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: foundry

Suspicious broadcast packets

  

 
nsp foundry RSS feed   Index | Next | Previous | View Threaded


Jorik.Jonker at eu

Apr 8, 2011, 1:52 AM

Post #1 of 2 (546 views)
Permalink
Suspicious broadcast packets
Hi all,

A supplier reports that one of the XMR4000's we administer for a customer is violating port security. Further investigation shows that the switch seems to have developed a habit to send suspicious broadcast packets to this supplier to and from a strange mac address [1]. It is very odd, since source/destination contain "parts" of the chassis mac (001b.edb1.1600), with a little bit shift in it.

Is this some protocol we should have turned off, or could it be that a part of the switch is loosing itself?

Best regards,

Jorik Jonker

[1]:

Ethernet II, Src: 16:00:08:06:00:01 (16:00:08:06:00:01), Dst:ff:ff:00:1b:ed:b1 (ff:ff:00:1b:ed:b1)
Destination: ff:ff:00:1b:ed:b1 (ff:ff:00:1b:ed:b1)
Address: ff:ff:00:1b:ed:b1 (ff:ff:00:1b:ed:b1)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: 16:00:08:06:00:01 (16:00:08:06:00:01)
Address: 16:00:08:06:00:01 (16:00:08:06:00:01)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Type: IP (0x0800)
Trailer: 040001001BEDB11600D9AA1384000000000000D9AA138400...
Internet Protocol
Version: 0
Header length: 24 bytes
Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN:0x00)
0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total length: 1 bytes (bogus, less than header length 24)


This email is from Equinix Europe Limited or one of its associated/subsidiary companies. This email, and any files transmitted with it, contains information which is confidential, may be legally privileged and is solely for the use of the intended recipient. If you have received this email in error, please notify the sender and delete this email immediately. Equinix Europe Limited. Registered Office: Quadrant House, 4 Thomas More Square, London E1W 1YW. Registered in England and Wales, No. 6293383.

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


niels=foundry-nsp at bakker

Apr 8, 2011, 8:34 AM

Post #2 of 2 (516 views)
Permalink
Re: Suspicious broadcast packets [In reply to]
* Jorik.Jonker [at] eu (Jorik Jonker) [Fri 08 Apr 2011, 10:53 CEST]:
>Is this some protocol we should have turned off, or could it be that
>a part of the switch is losing itself?

Looks like either the receiver or the sender is inserting two bytes
with all bits set at the beginning of some frames. Let me guess: this
concerns port 1/8 on your XMR? That's not legal Ethernet, though, as
your wireshark dump already shows (frame length of 1).

I've not seen this particular failure mode myself but I hope that
doesn't say too much. :) I'd try switching ports and if possible
linecards on both sides, see if the problem goes away after doing one
action at a time, and send the broken hardware back to the vendor
after isolating.


-- Niels.

--
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

nsp foundry RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.