FINAL SUMMARY: Unknown Host/Device Identified!

From: Tim Evans (oss670!tkevans@cs.umd.edu)
Date: Wed May 01 1991 - 12:22:35 CDT


A couple of weeks ago, I wrote about Sun's traffic(1M) showing me
unknown traffic on my net. Many of you responded with the suggestion
that I use etherfind(8) to dig into this further. I then posted
samples of etherfind's output, showing the unknown packets.
Dave Williams (exudnw@exurchin1.ericsson.se) forwarded me a list
of vendors and assigned address families to help with the search.

Unfortunately, the hardware addresses in these mystery packets
did not correspond with any vendor on the list. We finally
isolated and identified the devices, and I thought I'd pass
the information on.

The devices are RAD "Remote Ethernet Bridges" (REB's). These
are DOS PC's with hardware and software for bridging remote
ethernets via serial lines (in our case 56kb lines). The
traffic, according to the manufacturer, is routine communications
between the two bridges at either end of the 56kb line.

"Routine" meaning a packet every 100 ms!

For the record, these boxes use hardware address families

00:00:B0 and 01:00:B0

It seems more than a coincidence that there is only a 1-digit
difference in these two.

Does anyone actually police the utilization of these address
prefixes? Obviously, they're being issued to various vendors,
but is there anything that stops a vendor from just picking one
and using it, which appears to be what might have happended here?

-- 
INTERNET	tkevans%woodb@mimsy.umd.edu
UUCP 		...!{rutgers|ames|uunet}!mimsy!woodb!tkevans
US MAIL		6401 Security Blvd, 2-Q-2 Operations, Baltimore, MD  21235	
PHONE		(301) 965-3286



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:13 CDT