Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Feb 2002 16:28:12 -0600 (CST)
From:      David La Croix <dlacroix@cowpie.acm.vt.edu>
To:        freebsd-questions@freebsd.org
Subject:   broadcast null in TCPDUMP output question
Message-ID:  <200202272228.g1RMSCt04165@cowpie.acm.vt.edu>
next in thread | raw e-mail | index | archive | help 

Can't think of a more appropriate place for this -- since it's a generic 
question, and both machines on the "lan" are running FreeBSD: here goes:

I have a small network:
486-66 router FreeBSD 4.5 (ethernet via cs (ISA nic)) (provides a NATed route to the net via a second cs nic)
  +
  DLink DSS8+ 10/100 switch
  +
K6 "workstation" FreeBSD 4.5 (ethernet via rl (PCI realtek 8139))   
this is where the tcpdump is running.

Currently, what's listed is all that's ON on the network.

Running "tcpdump -p ether broadcast" in addition to the rwhod and samba
noise, I'm also receiving "broadcast null" packets coming from a MAC address
I don't recognize:

16:13:17.101663 0:48:54:70:f4:69 > Broadcast null I (s=0,r=0,C) len=42
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000
16:16:08.871491 0:48:54:70:f4:69 > Broadcast null I (s=0,r=0,C) len=42
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000
16:19:00.641316 0:48:54:70:f4:69 > Broadcast null I (s=0,r=0,C) len=42
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000


These always come from the same MAC address, so I can rule out 
interference / corrupted packets, and they seem to come in regularly 
every 3 minutes or so.

I've tried to map the address to a manufacturer, but I keep coming up 
blank.  Could this be something being generated by the switch?  Why
would this use a Mac address prefix that's not assigned to a manufacturer?

Is this a side-effect of some hack the switch manufacturer put in the firmware
or is this a feature of one of the device drivers?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202272228.g1RMSCt04165>