Re: Unknown OUI's...

[Dan_Wood () 3com com]

You may want to try:

show mac-address-table address <MAC Address: XX.XX..XX.XX.XX.XX>

This should give you the interface.  Since the packets are unicast you may 
have had some sort of topology change.  This would cause the mac-address 
table aging to become very short (STP forwarding delay?) and cause 
flooding until convergence.  Normally, convergence would be somewhat short 
but it can take a long time if you have a flacky fiber run that are 
causing link up/downs (Topology changes).

Thanks,

Daniel Wood  Network Engineer | 3Com Corporation 
  þ 350 Campus Dr. M/S 2.5.258, Marlborough, MA 01752
  * Dan_Wood () 3Com com
  F Service and Support FAQ & Forums.




From:   <Tim.Poth () bentley com>
To:     <wireshark-users () wireshark org>
Date:   11/09/2009 10:26 AM
Subject:        Re: [Wireshark-users] Unknown OUI's...
Sent by:        wireshark-users-bounces () wireshark org




This looks like Crestron
http://www.crestron.com/products/show_products.asp?type=commercial
 
Heidelbe has a few more hits so good luck there
http://standards.ieee.org/cgi-bin/ouisearch
 
I am way out of date on my cisco but I think you can look at what mac 
addresses are attached to what ports, might take some time but should be 
able to track down the port, unplug it and wait for someone to complain 
about something not working.
 
Good luck 
tim
 
From: wireshark-users-bounces () wireshark org [
mailto:wireshark-users-bounces () wireshark org] On Behalf Of Phillip Nelson
Sent: Monday, November 09, 2009 10:14 AM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] Unknown OUI's...
 
I just experienced a Vlan saturation event where the following source and 
destination MAC address were in all the packets causing the saturation. 
Does anyone recognize the OUI's of these two addresses? I have tried to 
look them up and can't find them anywhere.
 
The network has a 6509 for its core and 30 switches connected by fiber. Of 
the 30 switches, 11 are 4003's. Of the 4003's, 5 were affected by the 
storm and only two were participating in the storm. The trace was taken 
from the Cisco 6509 and the two participating Cisco 4003's. The broadcast 
storm was exactly the same between the two switches. We have ruled out all 
devices connected to the switches. We cannot find the MAC addresses 
anywhere on the network. We stopped the storm by resetting all the ports 
on the two 4003's.
 
 
Heidelbe_ab:99:6f        Crestron_eb:ac:cf             0x883d Ethernet II
 
Phil Nelson
Arrow ECS
Infrastructure Engineer, Senior
28600 Fountain Pkwy
Solon, Ohio 44139
 
email- pnelson () arrow com
w-216-332-3405
c-330-524-0463
f- 440-498-5178
 
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             
mailto:wireshark-users-request () wireshark org?subject=unsubscribe


Please consider the environment before printing this e-mail.
________________
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster () 3com com.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe