Vendor: "(fake)" MAC: "000000000000" ?

I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering.
There are two laptops in the house, one a Sony VAIO with a Linksys CardBus
wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
2200BG minicard (driver v 9.0.1.9).

Since my connectivity on the HP has been somewhat flakey (801.11g), I
frequently fire up NetStumbler just to see what's up. Lately I have noticed
another apparent connection at my same SSID and channel (1), but with the
NetStumbler info:
Vendor: "(fake)" MAC: "000000000000"

My guess is that the one laptop is just seeing the other laptop somehow as
it talks back to the router; but it does make me nervous. Is this normal?

Thanks for your feedback!



~Nemo

Nemo Oudeheis wrote:

>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering.
>There are two laptops in the house, one a Sony VAIO with a Linksys CardBus
>wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
>2200BG minicard (driver v 9.0.1.9).
>
>Since my connectivity on the HP has been somewhat flakey (801.11g), I
>frequently fire up NetStumbler just to see what's up. Lately I have noticed
>another apparent connection at my same SSID and channel (1), but with the
>NetStumbler info:
>Vendor: "(fake)" MAC: "000000000000"
>
>My guess is that the one laptop is just seeing the other laptop somehow as
>it talks back to the router; but it does make me nervous. Is this normal?
>
>Thanks for your feedback!
>
>
>
>~Nemo
>
>
>
>
Don't know if it will help, but at work I have a linux samba server
running as a service on a Win XP system with a bridged connection. The
bridged connection appears as a zero MAC address.

fwiw
Distant neighbor here had netgear AP showing in nStumbler and recently
changed his mac#'s and now his AP shows as Fake with same ssid name.

In article <4K1Zd.25741$(E-Mail Removed)>, Jerry Park wrote:

>Nemo Oudeheis wrote:
>
>>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering.
>>There are two laptops in the house, one a Sony VAIO with a Linksys CardBus
>>wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
>>2200BG minicard (driver v 9.0.1.9).

The assumption is that the O/P is running some version of windoze. Does the
command "ipconfig /all" on each box show it's own MAC address?

>Don't know if it will help, but at work I have a linux samba server
>running as a service on a Win XP system with a bridged connection. The
>bridged connection appears as a zero MAC address.

First three octets "00:00:00:" is a valid OUI - it's assigned to
Xerox. However, that block was used for the experimental 3 MHz Ethernet
that preceded 10Base5 also known as ThickNet. In theory, the very first
Ethernet interface ever made might have been serial number zero (giving
the MAC address of 00:00:00:00:00:00), but that was in the mid-late 1970s.
There was still a single 3 MHz network at PARC as late as 1995, but I
think the last host on that net was shipped to a museum in 1996 or 1997.

A much more probable answer is that all you are seeing with an all zero MAC
is that the application can't figure out the address and is giving an empty
answer.

Old guy

"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <4K1Zd.25741$(E-Mail Removed)>, Jerry Park
> wrote:
>
>>Nemo Oudeheis wrote:
>>
>>>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC
>>>filtering.
>>>There are two laptops in the house, one a Sony VAIO with a Linksys
>>>CardBus
>>>wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
>>>2200BG minicard (driver v 9.0.1.9).
>
> The assumption is that the O/P is running some version of windoze. Does
> the
> command "ipconfig /all" on each box show it's own MAC address?
I apologize for my Windo-centricity. One laptop is XP Pro, the other CP
Home. All
devices on my lan appear to have valid MAC addresses. I have a network
bridge
defined, but it's disabled.
>
>>Don't know if it will help, but at work I have a linux samba server
>>running as a service on a Win XP system with a bridged connection. The
>>bridged connection appears as a zero MAC address.
>
> First three octets "00:00:00:" is a valid OUI - it's assigned to
> Xerox. However, that block was used for the experimental 3 MHz Ethernet
> that preceded 10Base5 also known as ThickNet. In theory, the very first
> Ethernet interface ever made might have been serial number zero (giving
> the MAC address of 00:00:00:00:00:00), but that was in the mid-late 1970s.
> There was still a single 3 MHz network at PARC as late as 1995, but I
> think the last host on that net was shipped to a museum in 1996 or 1997.
Knowing that the first three octets specify the manufacturer or vendor, one
can
then infer that NetStumbler provided the string "(fake)", because it was
missing
from its vendor table.
>
> A much more probable answer is that all you are seeing with an all zero
> MAC
> is that the application can't figure out the address and is giving an
> empty
> answer.
I guess the real question is, what is generating the apparently spurious
"connection"? Being a bit paranoid, when I first saw this entry, I
suspected
someone might be trying to break in.

Maybe my "disabled" bridge is leaking? The signal strength was about 10dB
below that of my router.
>
> Old guy
>

In article <UlHZd.26980$(E-Mail Removed) >,
Nemo Oudeheis wrote:

>"Moe Trin" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .

>> First three octets "00:00:00:" is a valid OUI - it's assigned to
>> Xerox.

>Knowing that the first three octets specify the manufacturer or vendor,
>one can then infer that NetStumbler provided the string "(fake)", because
>it was missing from its vendor table.

[compton ~]$ zgrep -c '^[0-F][0-F][0-F]' MACaddresses.gz
8063
[compton ~]$ ls -Ll MACaddresses.gz
-rw-r--r-- 1 root root 402678 Feb 19 20:59 MACaddresses.gz
[compton ~]$

What that is saying is that there are 8063 blocks assigned as of February
19th. So, it's not entirely unlikely that NetStumbler lacks the full OUI
table. Even when compressed, the file is 400K, although if you want only
the MAC and company name, it's about a sixth that size. What may be more
likely is noting the address is _all_ zeros. That positively SCREAMS fake.

>I guess the real question is, what is generating the apparently spurious
>"connection"? Being a bit paranoid, when I first saw this entry, I
>suspected someone might be trying to break in.

I suppose it's possible. I'd yield to Jeff Liebermann's opinion on that.
I'm more used to hardwired networks, as I've been working with them for
over 25 years.

Old guy

bumtracks wrote:
> fwiw
> Distant neighbor here had netgear AP showing in nStumbler and recently
> changed his mac#'s and now his AP shows as Fake with same ssid name.
>
>

that sounds plausible.. Another couple of wireless networks recently
popped up in my neighbourhood. One of them showed up as with the zero
mac address.. It was something to do with the other access points rather
than mine cause it didnt go away when i unplugged mine or changed the
channel that mine operated on.

I haven't seen a MAC of all zeroes, but I have seen a MAC with an OUI (first
three
octets) of all zeroes: 00.00.00-00.38.39. Everything about the entry in
NetStumbler was bogus.
The icon was for a wired Ethernet, the SSID and channel were blank, SNR was
514, flags 0x80ed,
and the beacon interval was 22432. I surmise that NetStumbler has
misinterpreted some other
frame for a beacon frame or a probe response frame.

Similarly I saw a MAC of 78.11.1c-9c.00.13. The icon was a normal circle,
but the channel
showed [257] (yes, with the brackets), the SNR was -720, flags equal 0000,
and the beacon
interval was 10. The IEEE says there's no such OUI (see:
http://standards.ieee.org/regauth/oui/index.shtml).

Finally, I saw an entry which I surmise to be valid, but I don't think that
the NetStumbler
documentation describes. The icon is for a wired Ethernet, and this time I
believe that
this is the correct interpretation. How can I be detected a wired AP?
Because the entry
below (before) it is for a wireless AP on the same network. Apparently the
AP that shows
as wired has sent some 802.11 management frames through the Distribution
System (DS) to
the AP that shows as wireless, and the wireless (poetic license) AP has
forwarded this frame.
I'll have to read more on this to be certain, but that might be difficult
since there is no
standard yet for the DS, wireless or otherwise (although 802.11F is in the
works).
For this wired AP, NetStumbler shows no channel, speed, type, SNR, or beacon
interval. It
shows flags of 0000, IP addr, subnet, SSID, AP name, and vendor.

Ron Bandes
CCNP, CISSP, CTT+, etc.

"Nemo Oudeheis" <(E-Mail Removed)> wrote in message
news:kS0Zd.7019$(E-Mail Removed) ...
>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC
>filtering. There are two laptops in the house, one a Sony VAIO with a
>Linksys CardBus wireless adapter and the other a HP Pavilion zt3000 with a
>built-in Intel 2200BG minicard (driver v 9.0.1.9).
>
> Since my connectivity on the HP has been somewhat flakey (801.11g), I
> frequently fire up NetStumbler just to see what's up. Lately I have
> noticed another apparent connection at my same SSID and channel (1), but
> with the NetStumbler info:
> Vendor: "(fake)" MAC: "000000000000"
>
> My guess is that the one laptop is just seeing the other laptop somehow as
> it talks back to the router; but it does make me nervous. Is this normal?
>
> Thanks for your feedback!
>
>
>
> ~Nemo
>
>