Wireshark-users: Re: [Wireshark-users] Unknown OUI's...
Date: Mon, 9 Nov 2009 10:41:14 -0500
You may want to try:

show mac-address-table address <MAC Address: XX.XX..XX.XX.XX.XX>

This should give you the interface.  Since the packets are unicast you may have had some sort of topology change.  This would cause the mac-address table aging to become very short (STP forwarding delay?) and cause flooding until convergence.  Normally, convergence would be somewhat short but it can take a long time if you have a flacky fiber run that are causing link up/downs (Topology changes).

Thanks,

Daniel Wood  Network Engineer | 3Com Corporation
  þ 350 Campus Dr. M/S 2.5.258, Marlborough, MA 01752
  * Dan_Wood@xxxxxxxx
  F Service and Support FAQ & Forums.




From:        <Tim.Poth@xxxxxxxxxxx>
To:        <wireshark-users@xxxxxxxxxxxxx>
Date:        11/09/2009 10:26 AM
Subject:        Re: [Wireshark-users] Unknown OUI's...
Sent by:        wireshark-users-bounces@xxxxxxxxxxxxx





This looks like Crestron
http://www.crestron.com/products/show_products.asp?type=commercial
 
Heidelbe has a few more hits so good luck there
http://standards.ieee.org/cgi-bin/ouisearch
 
I am way out of date on my cisco but I think you can look at what mac addresses are attached to what ports, might take some time but should be able to track down the port, unplug it and wait for someone to complain about something not working.
 
Good luck
tim
 
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Phillip Nelson
Sent:
Monday, November 09, 2009 10:14 AM
To:
wireshark-users@xxxxxxxxxxxxx
Subject:
[Wireshark-users] Unknown OUI's...

 
I just experienced a Vlan saturation event where the following source and destination MAC address were in all the packets causing the saturation. Does anyone recognize the OUI's of these two addresses? I have tried to look them up and can't find them anywhere.
 
The network has a 6509 for its core and 30 switches connected by fiber. Of the 30 switches, 11 are 4003's. Of the 4003's, 5 were affected by the storm and only two were participating in the storm. The trace was taken from the Cisco 6509 and the two participating Cisco 4003's. The broadcast storm was exactly the same between the two switches. We have ruled out all devices connected to the switches. We cannot find the MAC addresses anywhere on the network. We stopped the storm by resetting all the ports on the two 4003's.
 
 
Heidelbe_ab:99:6f        Crestron_eb:ac:cf             0x883d              Ethernet II
 
Phil Nelson
Arrow ECS
Infrastructure Engineer, Senior
28600 Fountain Pkwy
Solon, Ohio 44139
 
email- pnelson@xxxxxxxxx
w-216-332-3405
c-330-524-0463
f- 440-498-5178
 ___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    
http://www.wireshark.org/lists/wireshark-users
Unsubscribe:
https://wireshark.org/mailman/options/wireshark-users
           
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Please consider the environment before printing this e-mail.
________________
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any 
recipient is prohibited.  If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@xxxxxxxx.