Vendor: "(fake)" MAC: "000000000000" ?

I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering. There are two laptops in the house, one a Sony VAIO with a Linksys CardBus wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel

2200BG minicard (driver v 9.0.1.9).

Since my connectivity on the HP has been somewhat flakey (801.11g), I frequently fire up NetStumbler just to see what's up. Lately I have noticed another apparent connection at my same SSID and channel (1), but with the NetStumbler info: Vendor: "(fake)" MAC: "000000000000"

My guess is that the one laptop is just seeing the other laptop somehow as it talks back to the router; but it does make me nervous. Is this normal?

Thanks for your feedback!

~Nemo

fwiw Distant neighbor here had netgear AP showing in nStumbler and recently changed his mac#'s and now his AP shows as Fake with same ssid name.

The assumption is that the O/P is running some version of windoze. Does the command "ipconfig /all" on each box show it's own MAC address?

First three octets "00:00:00:" is a valid OUI - it's assigned to Xerox. However, that block was used for the experimental 3 MHz Ethernet that preceded 10Base5 also known as ThickNet. In theory, the very first Ethernet interface ever made might have been serial number zero (giving the MAC address of 00:00:00:00:00:00), but that was in the mid-late 1970s. There was still a single 3 MHz network at PARC as late as 1995, but I think the last host on that net was shipped to a museum in 1996 or 1997.

A much more probable answer is that all you are seeing with an all zero MAC is that the application can't figure out the address and is giving an empty answer.

Old guy

I apologize for my Windo-centricity. One laptop is XP Pro, the other CP Home. All devices on my lan appear to have valid MAC addresses. I have a network bridge defined, but it's disabled.

Knowing that the first three octets specify the manufacturer or vendor, one can then infer that NetStumbler provided the string "(fake)", because it was missing from its vendor table.

I guess the real question is, what is generating the apparently spurious "connection"? Being a bit paranoid, when I first saw this entry, I suspected someone might be trying to break in.

Maybe my "disabled" bridge is leaking? The signal strength was about 10dB below that of my router.

[compton ~]$ zgrep -c '^[0-F][0-F][0-F]' MACaddresses.gz 8063 [compton ~]$ ls -Ll MACaddresses.gz

-rw-r--r-- 1 root root 402678 Feb 19 20:59 MACaddresses.gz [compton ~]$

What that is saying is that there are 8063 blocks assigned as of February

19th. So, it's not entirely unlikely that NetStumbler lacks the full OUI table. Even when compressed, the file is 400K, although if you want only the MAC and company name, it's about a sixth that size. What may be more likely is noting the address is _all_ zeros. That positively SCREAMS fake.

I suppose it's possible. I'd yield to Jeff Liebermann's opinion on that. I'm more used to hardwired networks, as I've been working with them for over 25 years.

Old guy

that sounds plausible.. Another couple of wireless networks recently popped up in my neighbourhood. One of them showed up as with the zero mac address.. It was something to do with the other access points rather than mine cause it didnt go away when i unplugged mine or changed the channel that mine operated on.

I haven't seen a MAC of all zeroes, but I have seen a MAC with an OUI (first three octets) of all zeroes: 00.00.00-00.38.39. Everything about the entry in NetStumbler was bogus. The icon was for a wired Ethernet, the SSID and channel were blank, SNR was

514, flags 0x80ed, and the beacon interval was 22432. I surmise that NetStumbler has misinterpreted some other frame for a beacon frame or a probe response frame.

Similarly I saw a MAC of 78.11.1c-9c.00.13. The icon was a normal circle, but the channel showed [257] (yes, with the brackets), the SNR was -720, flags equal 0000, and the beacon interval was 10. The IEEE says there's no such OUI (see:

Finally, I saw an entry which I surmise to be valid, but I don't think that the NetStumbler documentation describes. The icon is for a wired Ethernet, and this time I believe that this is the correct interpretation. How can I be detected a wired AP? Because the entry below (before) it is for a wireless AP on the same network. Apparently the AP that shows as wired has sent some 802.11 management frames through the Distribution System (DS) to the AP that shows as wireless, and the wireless (poetic license) AP has forwarded this frame. I'll have to read more on this to be certain, but that might be difficult since there is no standard yet for the DS, wireless or otherwise (although 802.11F is in the works). For this wired AP, NetStumbler shows no channel, speed, type, SNR, or beacon interval. It shows flags of 0000, IP addr, subnet, SSID, AP name, and vendor.

Ron Bandes CCNP, CISSP, CTT+, etc.