Windows is doing what?

No Comments

Day two at $new_job and I was ask the question that is asked of all the recent newbies apparently:

"Got any ideas why some windows boxes trigger security alerts within the network, by sending traffic from random MAC addresses?"

My answer: "Not got a scooby, but I'll have a look" :grin:

All I had to go on were the events in syslog. e.g.[redacted].net: Sep 21 12:34:56.063: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 666f.6e74.3e3c on port FastEthernet0/25

These packets come a couple at a time from any windows box, and that could be it from that box for weeks, or there could be another couple half an hour later. They might be the same mac address, they could be something different entirely.

66:6f:6e is not a valid vendor code. Nor are any of the other vendors of the violating MACs.

Spidey sense kicks in. Too much time puzzling makes me think 66? 6f? 6e? ASCII!

low and behold 666f6e743e3c becomes font><

W

T

F

?

HTML. There is HTML where there should be a source MAC address. Windows is cutting out layers 2-5 and just spitting ASCII onto the wire.

So a bit of bash scripting later and I have a nice list of the snippets. Nearly all bits of html or javascript.

Naff all about this in Google, but we think we now know the problem (well it's the only thing we could think off). Fixing it is a lot of work. For someone else ;)

I'd love to be able to grab a capture of this in progress, so I can see what precedes and follows these glitches and what else is in this non packet, but not knowing what time, what machine, or even what datacenter it's going to happen in next, I'm not hopeful.

--edit-- thinking about it on the way home I notice something that links these packets. They're all part way through a request/response. Non of the decoded fauxMACs are seven bytes from the start of a HTML page... Curious.

Comments are closed for this post