1. Home
  2. Ethernet LAN
  3. multicast, MAC ending with 00:96 ?

multicast, MAC ending with 00:96 ?

This is not a pure ethernet issue, but I couldn't think of which newsgroup would be more specific.

I'm wondering if there is some (possibly Windows-specific) correlation between multicast and ethernet MACs of the form

00:95:??:??:00:95 or 00:96:??:??:00:96 ??

I've been having a heck of time trying to pin down the source of some packets on my network.

All of my switches report seeing the MACs on the port that is their uplink in the direction of our LAN router, and for at least half of the switches, the MACs are pretty much always present (they appear and disappear on other switches.) Most of the time the MACs are NOT in the LAN router bridge or routing tables -- and when they do show up (usually for short intervals) they show up against a variety of IPs.

After a fair bit of probing and port mirroring, I have been able to see that the particular MAC I was probing is used as the source of IGMP announcements for a few different IP addresses, sometimes mixed together within a few minutes of each other, but more often in clumps in which only one of the IPs is active on the MAC.

Several years ago I had a situation in which I had a few persistant MACs that I could not trace down; I blamed the failure then on the then-current equipment; after it was upgraded, I didn't notice any futher tracking issues. Recently, though, I wrote new switch probe tools that monitor for active MACs at regular intervals, and I found one I couldn't seem to chase down. About an hour ago, another showed up that hadn't ever been recorded before.

The interesting bit about these untraceable MACs, past and present, is that they are all of the form mentioned above, 00:96:??:??:00:96 for the current ones, and 00:95:??:??:00:95 for one of the ones historically. For example, I am chasing 00:96:E4:10:00:96 and the one that showed up today is 00:96:E6:EC:00:96 The former of those is associated with a few common multicast groups, such as 224.0.1.22, and the less common multicast group 235.80.68.83. [One poster narrowed the latter down to Certificate Authority; no-one else seems to know which part of the Windows NT family uses that multicast IP.]

Does any of this sound familiar to anyone? Windows, multicast, IGMP, [seemingly-] virtual MACs in the unicast space?

Reply to
Walter Roberson
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.