Strange MAC address on Belkin AP

I have an 802.11b network based on a Belkin F5D6130v2 AP. I've been
monitoring the network with KisMAC, using a Buffalo Airstation (MELCO)
WLI-PCM-L11 PC Card with Prism2 drivers in passive mode. Everything
works fine, but KisMAC reports an unexpected client address (MAC
address 00-0A-42-xx-xx-xx, ie: a Cisco address) in addition to the
Belkin AP (MAC address 00-30-BD-xx-xx-xx) and my known clients.

Judging by signal strength and traffic volumes this unexpected address
appears also to be representing the Belkin AP. In fact, the majority
of traffic volume I would expect to be handled by the AP is actually
shown against this alternative address rather than the Belkin address,
although there is still a significant amount of traffic (around 20%)
from the latter.

Can anyone tell me what's going on here? Why would the Belkin AP have
a Cisco address in addition to its own? What is each address used for?

Cahad.

On Tue, 24 Aug 2004 13:41:08 GMT, Cahaddras
<(E-Mail Removed)> wrote:

>I have an 802.11b network based on a Belkin F5D6130v2 AP. I've been
>monitoring the network with KisMAC, using a Buffalo Airstation (MELCO)
>WLI-PCM-L11 PC Card with Prism2 drivers in passive mode. Everything
>works fine, but KisMAC reports an unexpected client address (MAC
>address 00-0A-42-xx-xx-xx, ie: a Cisco address) in addition to the
>Belkin AP (MAC address 00-30-BD-xx-xx-xx) and my known clients.

Well, if you turn off your Belkin router and local radios, is the
Cisco MAC address still there? You might be picking up a neighbors
LAN. Just because it's moving traffic doesn't mean that it's moving
the traffic through your access point. Pull the plug and make sure.

>Judging by signal strength and traffic volumes this unexpected address
>appears also to be representing the Belkin AP.

Assumption, the mother of all screwups. Unless I'm missing something,
traffic volume and signal strength do not indicate connectivity.

You should be able to do some direction finding. Use a flat plate
reflector or some directional antenna to determine the direction by
signal strength.

>In fact, the majority
>of traffic volume I would expect to be handled by the AP is actually
>shown against this alternative address rather than the Belkin address,
>although there is still a significant amount of traffic (around 20%)
>from the latter.

Unless you're monitoring the access points traffic, there is no way I
could determine that the traffic is going through the Belkin from an
over the air wireless sniffer.

If all your known MAC addresses are accounted for, then it's a fair
guess that the mystery MAC address is coming from a nearby radio.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Just had a sudden spark of inspiration (rare!) and guessed that the
Cisco MAC address might be behind (ie: on the ethernet side of) the
Belkin AP. Sure enough, it turns out to be the MAC address of my ISP's
router.

So my question now is: why is the ISP router showing as a wireless
client?! And why is traffic split between this 'client' and the Belkin
AP itself?

Cahad.


On 2004-08-24 14:41:08 +0100, Cahaddras <(E-Mail Removed)> said:

> I have an 802.11b network based on a Belkin F5D6130v2 AP. I've been
> monitoring the network with KisMAC, using a Buffalo Airstation (MELCO)
> WLI-PCM-L11 PC Card with Prism2 drivers in passive mode. Everything
> works fine, but KisMAC reports an unexpected client address (MAC
> address 00-0A-42-xx-xx-xx, ie: a Cisco address) in addition to the
> Belkin AP (MAC address 00-30-BD-xx-xx-xx) and my known clients.
>
> Judging by signal strength and traffic volumes this unexpected address
> appears also to be representing the Belkin AP. In fact, the majority
> of traffic volume I would expect to be handled by the AP is actually
> shown against this alternative address rather than the Belkin address,
> although there is still a significant amount of traffic (around 20%)
> from the latter.
>
> Can anyone tell me what's going on here? Why would the Belkin AP have
> a Cisco address in addition to its own? What is each address used for?
>
> Cahad.

No, I don't think it's a neighbour's client - if I switch off the AP,
then the Cisco address disappears as well, and it re-appears when I
switch it back on.

Please note that the Belkin F5D6130 AP is a bridge, not a router (I use
a wireless Mac as a router/firewall). I guess that KisMAC is seeing
packets from my ISP router's MAC address forwarded by the bridge and is
treating these as coming from a separate client in the same network.
Thing is though, in that case what's the traffic directly from the AP's
MAC address? I think I might just be misunderstanding what KisMAC is
reporting...

Cahad.


On 2004-08-24 17:42:39 +0100, Jeff Liebermann
<(E-Mail Removed)> said:

> On Tue, 24 Aug 2004 13:41:08 GMT, Cahaddras
> <(E-Mail Removed)> wrote:
>
>> I have an 802.11b network based on a Belkin F5D6130v2 AP. I've been
>> monitoring the network with KisMAC, using a Buffalo Airstation (MELCO)
>> WLI-PCM-L11 PC Card with Prism2 drivers in passive mode. Everything
>> works fine, but KisMAC reports an unexpected client address (MAC
>> address 00-0A-42-xx-xx-xx, ie: a Cisco address) in addition to the
>> Belkin AP (MAC address 00-30-BD-xx-xx-xx) and my known clients.
>
> Well, if you turn off your Belkin router and local radios, is the
> Cisco MAC address still there? You might be picking up a neighbors
> LAN. Just because it's moving traffic doesn't mean that it's moving
> the traffic through your access point. Pull the plug and make sure.
>
>> Judging by signal strength and traffic volumes this unexpected address
>> appears also to be representing the Belkin AP.
>
> Assumption, the mother of all screwups. Unless I'm missing something,
> traffic volume and signal strength do not indicate connectivity.
> You should be able to do some direction finding. Use a flat plate
> reflector or some directional antenna to determine the direction by
> signal strength.
>> In fact, the majority of traffic volume I would expect to be handled by
>> the AP is actually shown against this alternative address rather than
>> the Belkin address, although there is still a significant amount of
>> traffic (around 20%) from the latter.
>
> Unless you're monitoring the access points traffic, there is no way I
> could determine that the traffic is going through the Belkin from an
> over the air wireless sniffer.
> If all your known MAC addresses are accounted for, then it's a fair
> guess that the mystery MAC address is coming from a nearby radio.

Cahaddras wrote:
> Just had a sudden spark of inspiration (rare!) and guessed that the
> Cisco MAC address might be behind (ie: on the ethernet side of) the
> Belkin AP. Sure enough, it turns out to be the MAC address of my ISP's
> router.

Your Belkin AP will act as a network bridge, and forward all traffic
from your wired ethernet backbone onto the wireless LAN. Packets coming
out of the ISPs Cisco and heading for your PC will be bridged onto the
wireless LAN and therefore show up when you sniff the network. Just
tried this on mine, and I can see my router's MAC cropping up in the
ethereal traces. Presumably you don't have anything routing between you
and the ISPs Cisco.