Wierd packets on Sonicwall

I see some wierd ethernet packets on my packet monitor in the sonicwall..

Ethernet Header
 Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]
DROPPED, Drop Code: 1, Module Id: 17, (Ref.Id: _2101_kprwvJqqm) 1:1)

Anybody an idea where this could be comming from?
LVL 1
socom1985Asked:
Who is Participating?
 
rfc1180Commented:
IP Protocols are not at layer 2, but layer 3, so the EtherType will never be 0x32

Well, what you are seeing is layer 2 traffic and you should NOT see 0x32 in the EtherType, typical values will be ARP and IP (0x0806, 0x0800)

Ether Type: 0x32(0x32), Src=[00:1e:f6:c2:1b:15], Dst=[01:00:0c:cc:cc:cd]
Ethernet Type: Unknown
Value:[0]

The reason you are seeing 'Unknown' is that there is no EtherType of 0x32:
http://www.cavebear.com/archive/cavebear/Ethernet/type.html

The fact that the destination MAC is 01:00:0c:cc:cc:cd and that the EtherType is 0x32 is a host is crafting packets with this information or you are running into some time of bug on the firewall or something else in the path between the host and firewall; additionally, as already stated, the malformed packet is from a hardware issue from a device in path.

If the MAC is not being spoofed, you will need to log into your switches and locate which switchport the mac is located on:
00:1e:f6:c2:1b:15

Billy
0
 
Greg HejlPrincipal ConsultantCommented:
find out what devices belong to the MAC addresses

also search Sonicwall site for drop code table for your firmware version - (do not use tables from other firmware versions)

Ether Type 0x32 appears to be IPSec ESP packet - SW should recognize ESP unless it is a malformed packet...

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers 
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.