Seemingly random mutations of the original MAC address as below:ġ8:56:80:7e:0d: 29 - how many interfaces can one device have?ġ8:56:80:7e: ad:05 - Are there so many additional devices from the same manufacturer nearby, that were somehow missed during the “Devices Near Me” scans I mentioned above? It’s possible, but unlikelyĠ0:56:80:7e:0d:c9 - Prefix changed twice, once to 19:56 and again to 00:56. Though AFAIK usually 3 octets are changed, not just 1. This could happen when packets pass through range extenders. This could be valid, if the device has multiple network interfaces with slightly modified MAC addresses.ġ9:56:80:7e:0d:c9 - where the first N octets are changed. Now to the issue: I'm seeing in the Wireshark logs, several mutated versions of the MAC addresses of my devices and my neighbours' devices.īy mutated, I mean that if 18:56:80:7e:0d:c9 is a valid MAC address, then I'm seeing the following variants in source/destination or transmitter/receiver addresses of observed packets in Wireshark:ġ8:56:80:7e:0d: 49 - where only the last 1 or 2 octets are changed. However only the first 1000 rows (out of 169,242) have been formatted in any manner at all, to keep performance reasonable. The same are colored green in the primary Conversation sheet. Valid devices I have seen during "Devices Near Me" scans from Wi-Fi management apps on Android, are listed in the "Device_Validity" sheet. I have subsequently saved the list of "Conversations" as provided by Wireshark, as a Google Sheet, shared below for reference and analysis. I opened Statistics > Conversations in Wireshark, to see all MAC addresses that had been talking to each other over Wi-Fi. I captured 2.5 million packets over 3 hours using Wireshark in monitor mode, on a single channel on the 802.11ac 5GHz spectrum, channel 36.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |