[CentOS] weird mac address

Mon Oct 26 08:34:08 UTC 2009
Janez Kosmrlj <postnalista at googlemail.com>

Hi,
I have an interesting problem. I have a centos server connected to our dmz
zone. For security reasons our network department limited the number of mac
addresses that can connect to the port on the switch. And since we are
running vmware server on top on centos and a windows virtual machine inside
of it, the number of mac addresses that can connect to this port is two or
the switch  blocks all traffic on this port. And now comes the problem. The
port blocks almost immediately. After some investigation we found out, that
we have actually 3 addresses communicating from this port. One that belongs
to eth-0 and is ibm specific (the server is an IBM x3550 and every mac
starts with the vendor code), one that belongs to the virtual machine and is
Vmware specific and then we have another mac address that is IBM specific.

I can't find where this traffic comes from. I traced the traffic with
Wireshark and found, that this mac address creates a DHCP discover every 64
seconds. I first checked if this mac adress could be from the second network
card, that is not connected with a cable nor is the device enabled, but it
doesn't and the mystery mac is completely different from the network cards
macs on the last 6 characters (the two on-board cards macs are different
only on the last character). Then I tried searching the logs and /etc for
any occurrence of this mac address, but I can't find anything. Then we tried
to isolate the server, so I connected it directly to my laptop and run the
trace again to see if this packet comes from outside and is then redirected
back out on Vmware's virtual switch (since it's a broadcast packet, this
could be somehow possible). But everything indicates that this packets are
generated on this server.

In the meantime we increased the number of mac addresses to 3, but after a
while we got a packet from a fourth IBM mac address, that again doesn't
belong anywhere. It was similar to the mystery mac (it was only different on
the last two characters) and the switch blocked the port in the middle of
the night. but this was a one-time occurrence for now.

Does anyone have an idea what is happening or where i should look for the
mystery mac address.

thanx

Janez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20091026/96623fee/attachment-0004.html>