Vendor: "(fake)" MAC: "000000000000" ?

13 Mar 2005 7:52 PM

Nemo Oudeheis

I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering.
There are two laptops in the house, one a Sony VAIO with a Linksys CardBus
wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
2200BG minicard (driver v 9.0.1.9).

Since my connectivity on the HP has been somewhat flakey (801.11g), I
frequently fire up NetStumbler just to see what's up. Lately I have noticed
another apparent connection at my same SSID and channel (1), but with the
NetStumbler info:
Vendor: "(fake)" MAC: "000000000000"

My guess is that the one laptop is just seeing the other laptop somehow as
it talks back to the router; but it does make me nervous. Is this normal?

Thanks for your feedback!

~Nemo

13 Mar 2005 8:58 PM

Jerry Park

Nemo Oudeheis wrote:

Show quoteHide quote

>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering.
>There are two laptops in the house, one a Sony VAIO with a Linksys CardBus
>wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
>2200BG minicard (driver v 9.0.1.9).
>
>Since my connectivity on the HP has been somewhat flakey (801.11g), I
>frequently fire up NetStumbler just to see what's up. Lately I have noticed
>another apparent connection at my same SSID and channel (1), but with the
>NetStumbler info:
>Vendor: "(fake)" MAC: "000000000000"
>
>My guess is that the one laptop is just seeing the other laptop somehow as
>it talks back to the router; but it does make me nervous. Is this normal?
>
>Thanks for your feedback!
>
>
>
>~Nemo
>
>
>
>

Don't know if it will help, but at work I have a linux samba server
running as a service on a Win XP system with a bridged connection. The
bridged connection appears as a zero MAC address.

15 Mar 2005 3:33 AM

Moe Trin

In article <4K1Zd.25741$6g7.13***@bignews1.bellsouth.net>, Jerry Park wrote:

>Nemo Oudeheis wrote:
>
>>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC filtering.
>>There are two laptops in the house, one a Sony VAIO with a Linksys CardBus
>>wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
>>2200BG minicard (driver v 9.0.1.9).

The assumption is that the O/P is running some version of windoze. Does the
command "ipconfig /all" on each box show it's own MAC address?

>Don't know if it will help, but at work I have a linux samba server
>running as a service on a Win XP system with a bridged connection. The
>bridged connection appears as a zero MAC address.

First three octets "00:00:00:" is a valid OUI - it's assigned to
Xerox. However, that block was used for the experimental 3 MHz Ethernet
that preceded 10Base5 also known as ThickNet. In theory, the very first
Ethernet interface ever made might have been serial number zero (giving
the MAC address of 00:00:00:00:00:00), but that was in the mid-late 1970s.
There was still a single 3 MHz network at PARC as late as 1995, but I
think the last host on that net was shipped to a museum in 1996 or 1997.

A much more probable answer is that all you are seeing with an all zero MAC
is that the application can't figure out the address and is giving an empty
answer.

Old guy

15 Mar 2005 8:13 PM

Nemo Oudeheis

Show quote Hide quote

"Moe Trin" <ibupro***@painkiller.example.tld> wrote in message
news:slrnd3clra.tct.ibuprofin@compton.phx.az.us...
> In article <4K1Zd.25741$6g7.13***@bignews1.bellsouth.net>, Jerry Park
> wrote:
>
>>Nemo Oudeheis wrote:
>>
>>>I am running a Linksys WRT54G (firmware v3.01.3) with WAP and MAC
>>>filtering.
>>>There are two laptops in the house, one a Sony VAIO with a Linksys
>>>CardBus
>>>wireless adapter and the other a HP Pavilion zt3000 with a built-in Intel
>>>2200BG minicard (driver v 9.0.1.9).
>
> The assumption is that the O/P is running some version of windoze. Does
> the
> command "ipconfig /all" on each box show it's own MAC address?

I apologize for my Windo-centricity. One laptop is XP Pro, the other CP
Home. All
devices on my lan appear to have valid MAC addresses. I have a network
bridge
defined, but it's disabled.

>
>>Don't know if it will help, but at work I have a linux samba server
>>running as a service on a Win XP system with a bridged connection. The
>>bridged connection appears as a zero MAC address.
>
> First three octets "00:00:00:" is a valid OUI - it's assigned to
> Xerox. However, that block was used for the experimental 3 MHz Ethernet
> that preceded 10Base5 also known as ThickNet. In theory, the very first
> Ethernet interface ever made might have been serial number zero (giving
> the MAC address of 00:00:00:00:00:00), but that was in the mid-late 1970s.
> There was still a single 3 MHz network at PARC as late as 1995, but I
> think the last host on that net was shipped to a museum in 1996 or 1997.

Knowing that the first three octets specify the manufacturer or vendor, one
can
then infer that NetStumbler provided the string "(fake)", because it was
missing
from its vendor table.

>
> A much more probable answer is that all you are seeing with an all zero
> MAC
> is that the application can't figure out the address and is giving an
> empty
> answer.

I guess the real question is, what is generating the apparently spurious
"connection"? Being a bit paranoid, when I first saw this entry, I
suspected
someone might be trying to break in.

Maybe my "disabled" bridge is leaking? The signal strength was about 10dB
below that of my router.
Show quoteHide quote

>
> Old guy
>

17 Mar 2005 12:48 AM

Moe Trin

In article <UlHZd.26980$wl4.714***@twister.southeast.rr.com>,
Nemo Oudeheis wrote:

>"Moe Trin" <ibupro***@painkiller.example.tld> wrote in message
>news:slrnd3clra.tct.ibuprofin@compton.phx.az.us...

>> First three octets "00:00:00:" is a valid OUI - it's assigned to
>> Xerox.

>Knowing that the first three octets specify the manufacturer or vendor,
>one can then infer that NetStumbler provided the string "(fake)", because
>it was missing from its vendor table.

[compton ~]$ zgrep -c '^[0-F][0-F][0-F]' MACaddresses.gz
8063
[compton ~]$ ls -Ll MACaddresses.gz
-rw-r--r-- 1 root root 402678 Feb 19 20:59 MACaddresses.gz
[compton ~]$

What that is saying is that there are 8063 blocks assigned as of February
19th. So, it's not entirely unlikely that NetStumbler lacks the full OUI
table. Even when compressed, the file is 400K, although if you want only
the MAC and company name, it's about a sixth that size. What may be more
likely is noting the address is _all_ zeros. That positively SCREAMS fake.

>I guess the real question is, what is generating the apparently spurious
>"connection"? Being a bit paranoid, when I first saw this entry, I
>suspected someone might be trying to break in.

I suppose it's possible. I'd yield to Jeff Liebermann's opinion on that.
I'm more used to hardwired networks, as I've been working with them for
over 25 years.

Old guy

14 Mar 2005 2:54 PM

bumtracks

fwiw
Distant neighbor here had netgear AP showing in nStumbler and recently
changed his mac#'s and now his AP shows as Fake with same ssid name.

18 Mar 2005 3:12 AM

Phill Macey

bumtracks wrote:

> fwiw
> Distant neighbor here had netgear AP showing in nStumbler and recently
> changed his mac#'s and now his AP shows as Fake with same ssid name.
>
>

that sounds plausible.. Another couple of wireless networks recently
popped up in my neighbourhood. One of them showed up as with the zero
mac address.. It was something to do with the other access points rather
than mine cause it didnt go away when i unplugged mine or changed the
channel that mine operated on.