[KLUG Members] Purpose of strange packet?

Adam Williams members@kalamazoolinux.org
20 Apr 2002 10:48:35 -0400

Previous message: [KLUG Members] Purpose of strange packet?
Next message: [KLUG Members] Few RAID questions for all of you to noodle over.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I entered the ether address (01:00:5e:01:02:03) into a google search and got
>some really interesting results. Below is a clip from one of the websites:

Yep, I found that too, but it doesn't explain anything.  While we have
four Cisco routers at the site IGRP (a horrible proprietary protocol) is
specifically disabled on those devices, and blocked by firewall
devices.  The only routing protocol is elegant OSPF (on LAN and WAN
segments) redistributed as gnarly RIP on LAN segments for retarded NT
servers.  And I don't see any multi-cast UDP traffic from any of the
routers or servers,  I've looked around on MSN and they don't seem to
mention anything about multicasting to 225.1.2.3,  but their sight is
really geared toward answering idiotic questions,  so I may simply not
have found it yet.
 
>>I was using ethereal to debug a java application when I picked up
>>something I didn't recognize.
>>I have a WinY2k workstation chirping a UDP (source and destination port
>>402) packet to 225.1.2.3.  The destination MAC appears to 01:00:5e:01:02:03,
>>which isn't a vendor ethereal recognizes and not one I can locate on the LAN.
>>I'm picking it up three switch hops away.
>>Other than this all the traffic is accounted for.
>> The packet looks like:
>> 0000  01 00 5e 01 02 03 00 03  47 62 a8 3c 08 00 45 00   ..^..... Gb¨<..E.
>> 0010  00 5a 86 16 00 00 20 11  6f 3c c0 a8 01 94 e1 01   .Z.... . o<À¨..á.
>> 0020  02 03 01 92 01 92 00 46  6d cf 52 65 71 75 65 73   .......F mÏReques
>> 0030  74 3d 47 65 74 53 65 72  76 65 72 0a 4d 41 43 2d   t=GetSer ver.MAC-
>> 0040  41 64 64 72 65 73 73 3d  30 30 30 33 34 37 36 32   Address= 00034762
>> 0050  41 38 33 43 0a 41 64 64  6c 2d 4d 41 43 2d 41 64   A83C.Add l-MAC-Ad
>> 0060  64 72 65 73 73 3d 0a 00                            dress=..
>>Anyone have a clue what this is?  (I hope I don't realize what it is 3
>>seconds after pressing send.... I hate it when that happens).

It almost looks like some kind of multi-cast ARPing.  Looking for a
server for the multicast stream it wants.  Active Directory use
multi-cast?  Why don't I see this from any of the other ~30 WinY2k
workstations.  The Samba PDC seems to be merrily ignoring the requests.

Previous message: [KLUG Members] Purpose of strange packet?
Next message: [KLUG Members] Few RAID questions for all of you to noodle over.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]