First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

MAC Locally administered address - Resolved names

Hello,

i recently found out about the concept of MAC Locally vs Universally administered MAC addresses.

When analyzing a Wireshark trace from my WiFi, which captured my IPhone connecting to the network, i noticed that the phone used a locally administered MAC address for some ARP messages but the resolved name from WireShark showed MS-NLB-PhysServer (nothing to do with Iphone i guess...).

After reading on the web i thought that this resolution comes from some default Wireshark lookup tables, like the manuf file. However i could not find such entry in the file. Nether in the ether file, the other place where resolution can be defined.

So i wonder where does such name resolution come from and if there is any other configuration file in Wireshark that defines it.

As a bonus question :-)... If somebody could explain why I see the IPhone using two different MAC addresses (one is the universal/BIA and the other one is this locally administered MAC) it would be great. By the way the two source MAC addresses are obviously related, since they have the same last 6 digits, like in the example here below:

  • Universal BIA => a8:be:27:xx:yy:zz
  • Local => 02:0f:b5:xx:yy:zz

Thanks!

x70teo's avatar
1
x70teo
asked 2019-02-09 05:56:04 +0000, updated 2019-02-09 07:34:50 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

These resolutions come from the well-known-addresses file, called 'wka'. And if it was 02:0F:B5:xx:yy:zz it must have said 'MS-NLB-VirtServer'. As for the use of the MAC addresses in ARP messages you would have to specify where in the ARP message the occurred.

Jaap's avatar
13.7k
Jaap
answered 2019-02-09 08:24:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Jaap, thanks a lot for pointing me in the right direction, i was not aware of this wka file.

I checked it and the mapping is coherent with what i see in the trace. There is no specific entry for 02:0f:b5 and the closest one is:

02-0f-00-00-00-00/16 MS-NLB-PhysServer-15

It seems that all the 02-... entries only differentiate between the first 4 digits, so i have no specific mapping.

And in my table 'MS-NLB-VirtServer' is mapped to 02-BF-..., not to 02-0F

Anyway in the end this is just mapping and you solved my question, as i could not explain where the mapping was coming from.

As for the use of this locally admin MAC@I had a better look to the trace and this is what i have noticed:

  • when the Iphone connect to the main SSID it uses its BIA address

  • when the Iphone connect to the ...

(more)
x70teo's avatar x70teo (2019-02-09 09:26:36 +0000) edit
more
  • delete

You're right (didn't have coffee yet :) ) It matches Server-15, not the virtual server address. Note the netmark (/16) after the address, which signifies how many leading bits are relevant. Devices may use these addresses to obfuscate their identity, to hamper tracking.

Jaap's avatar Jaap (2019-02-09 10:42:03 +0000) edit
more
  • delete

Devices may use these addresses to obfuscate their identity, to hamper tracking.

That's exactly what iOS is doing; see, for example, this iMore article.

Guy Harris's avatar Guy Harris (2019-02-10 03:31:58 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer