Don't know if it will help, but at work I have a linux samba server running as a service on a Win XP system with a bridged connection. The bridged connection appears as a zero MAC address.
Don't know if it will help, but at work I have a linux samba server running as a service on a Win XP system with a bridged connection. The bridged connection appears as a zero MAC address.
I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering. There are two laptops in the house, one a Sony VAIO with a Linksys CardBus wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
2200BG minicard (driver v 9.0.1.9).Since my connectivity on the HP has been somewhat flakey (801.11g), I frequently fire up NetStumbler just to see what's up. Lately I have noticed another apparent connection at my same SSID and channel (1), but with the NetStumbler info: Vendor: "(fake)" MAC: "000000000000"
My guess is that the one laptop is just seeing the other laptop somehow as it talks back to the router; but it does make me nervous. Is this normal?
Thanks for your feedback!
~Nemo
fwiw Distant neighbor here had netgear AP showing in nStumbler and recently changed his mac#'s and now his AP shows as Fake with same ssid name.
The assumption is that the O/P is running some version of windoze. Does the command "ipconfig /all" on each box show it's own MAC address?
First three octets "00:00:00:" is a valid OUI - it's assigned to Xerox. However, that block was used for the experimental 3 MHz Ethernet that preceded 10Base5 also known as ThickNet. In theory, the very first Ethernet interface ever made might have been serial number zero (giving the MAC address of 00:00:00:00:00:00), but that was in the mid-late 1970s. There was still a single 3 MHz network at PARC as late as 1995, but I think the last host on that net was shipped to a museum in 1996 or 1997.
A much more probable answer is that all you are seeing with an all zero MAC is that the application can't figure out the address and is giving an empty answer.
Old guy
I apologize for my Windo-centricity. One laptop is XP Pro, the other CP Home. All devices on my lan appear to have valid MAC addresses. I have a network bridge defined, but it's disabled.
Knowing that the first three octets specify the manufacturer or vendor, one can then infer that NetStumbler provided the string "(fake)", because it was missing from its vendor table.
I guess the real question is, what is generating the apparently spurious "connection"? Being a bit paranoid, when I first saw this entry, I suspected someone might be trying to break in.
Maybe my "disabled" bridge is leaking? The signal strength was about 10dB below that of my router.
[compton ~]$ zgrep -c '^[0-F][0-F][0-F]' MACaddresses.gz 8063 [compton ~]$ ls -Ll MACaddresses.gz
-rw-r--r-- 1 root root 402678 Feb 19 20:59 MACaddresses.gz [compton ~]$
What that is saying is that there are 8063 blocks assigned as of February
19th. So, it's not entirely unlikely that NetStumbler lacks the full OUI table. Even when compressed, the file is 400K, although if you want only the MAC and company name, it's about a sixth that size. What may be more likely is noting the address is _all_ zeros. That positively SCREAMS fake.
I suppose it's possible. I'd yield to Jeff Liebermann's opinion on that. I'm more used to hardwired networks, as I've been working with them for over 25 years.
Old guy
that sounds plausible.. Another couple of wireless networks recently popped up in my neighbourhood. One of them showed up as with the zero mac address.. It was something to do with the other access points rather than mine cause it didnt go away when i unplugged mine or changed the channel that mine operated on.
I haven't seen a MAC of all zeroes, but I have seen a MAC with an OUI (first three octets) of all zeroes: 00.00.00-00.38.39. Everything about the entry in NetStumbler was bogus. The icon was for a wired Ethernet, the SSID and channel were blank, SNR was
514, flags 0x80ed, and the beacon interval was 22432. I surmise that NetStumbler has misinterpreted some other frame for a beacon frame or a probe response frame.Similarly I saw a MAC of 78.11.1c-9c.00.13. The icon was a normal circle, but the channel showed [257] (yes, with the brackets), the SNR was -720, flags equal 0000, and the beacon interval was 10. The IEEE says there's no such OUI (see:
Ron Bandes CCNP, CISSP, CTT+, etc.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.