From owner-freebsd-questions  Wed Feb 27 14:29: 7 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253])
	by hub.freebsd.org (Postfix) with ESMTP id EA7FF37B430
	for <freebsd-questions@freebsd.org>; Wed, 27 Feb 2002 14:28:12 -0800 (PST)
Received: (from dlacroix@localhost)
	by cowpie.acm.vt.edu (8.11.6/8.11.6) id g1RMSCt04165
	for freebsd-questions@freebsd.org; Wed, 27 Feb 2002 17:28:12 -0500 (EST)
	(envelope-from dlacroix)
From: David La Croix <dlacroix@cowpie.acm.vt.edu>
Message-Id: <200202272228.g1RMSCt04165@cowpie.acm.vt.edu>
Subject: broadcast null in TCPDUMP output question
To: freebsd-questions@freebsd.org
Date: Wed, 27 Feb 2002 16:28:12 -0600 (CST)
X-Mailer: ELM [version 2.5 PL5]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


Can't think of a more appropriate place for this -- since it's a generic 
question, and both machines on the "lan" are running FreeBSD: here goes:

I have a small network:
486-66 router FreeBSD 4.5 (ethernet via cs (ISA nic)) (provides a NATed route to the net via a second cs nic)
  +
  DLink DSS8+ 10/100 switch
  +
K6 "workstation" FreeBSD 4.5 (ethernet via rl (PCI realtek 8139))   
this is where the tcpdump is running.

Currently, what's listed is all that's ON on the network.

Running "tcpdump -p ether broadcast" in addition to the rwhod and samba
noise, I'm also receiving "broadcast null" packets coming from a MAC address
I don't recognize:

16:13:17.101663 0:48:54:70:f4:69 > Broadcast null I (s=0,r=0,C) len=42
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000
16:16:08.871491 0:48:54:70:f4:69 > Broadcast null I (s=0,r=0,C) len=42
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000
16:19:00.641316 0:48:54:70:f4:69 > Broadcast null I (s=0,r=0,C) len=42
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000


These always come from the same MAC address, so I can rule out 
interference / corrupted packets, and they seem to come in regularly 
every 3 minutes or so.

I've tried to map the address to a manufacturer, but I keep coming up 
blank.  Could this be something being generated by the switch?  Why
would this use a Mac address prefix that's not assigned to a manufacturer?

Is this a side-effect of some hack the switch manufacturer put in the firmware
or is this a feature of one of the device drivers?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message