Thanks to those who responded and have yet to respond. Hal Stern was
the first to reply (why am I not surprised?) Second to respond was
Peter Samuel of New South Wales, Australia. (Ain't networks
wonderful?) Also heard from was birger@vest.sdata.no (Birger A. Wathne)
and Eckhard.Rueggeberg@ts.go.dlr.de. Thank you very much. A common
suggestion was to look at the arp table wiht arp -a. Now, why didn't I
think of that! Things are calm this morning so the arp table is of no
help.
As it turns out, the 9:0... ethernet address is really a multicast
address. I found RFC1060 -- Assigned Numbers. It lists some multicast
addresses but not the one I saw. The 0045 (hex, by the way) in
etherfind's proto field is really a length from an IEEE 802.3 frame.
According to Hal, "anything < 1516 (decimal) is probably an 802.3
length instead of a packet type. so i'd guess this is decnet, or maybe
appletalk." (Side issue. Are the protocol types etherfind displays --
tcp, udp, arp, Appletalk, etc., hardcoded into etherfind or can
etherfind use the NIS protocols map? I'll play with that after reading
the RFC and find out.)
That's close from what we can tell. Another person here was running
tcpdump and said that it looked like chooser info. From what she was
able to gather with tcpdump, and from decoding the aa:0:4 ethernet
addresses into DECnet addresses, we're at a loss to explain why we're
seeing these packets on our network segment. We know there are routers
between here and there and we figured these routers would not allow
this traffic onto our segment. Our corporate network is quite
complicated so there may be something misconfigured somewhere. In any
case, we've turned it over to our network people. Thah's what there
here for.
Again, thanks for the help. If any new, startling discoveries occur, I'll
post an amendment to this summary.
Charles Dennett | Rochester Distributed Computer Services
Mail Stop 01816 | Customer Technical Support Services
Eastman Kodak Company | ---------------------------------------
Rochester, NY 14650-1816 | Internet: dennett@Kodak.COM
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT