1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

syslog question

Discussion in 'Tomato Firmware' started by Roimeister, Aug 6, 2007.

  1. Roimeister

    Roimeister LI Guru Member

    When I look at dropped packets in my syslog, I see something like
    MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx embedded in the log entry of the dropped packet.

    Is this really 3 MACs or what is the deal?

    thanks in advance
  2. Toxic

    Toxic Administrator Staff Member

    have you identified the MAC Addresses this referes too?
  3. Roimeister

    Roimeister LI Guru Member

    I'm not sure how to identify. I've only seen MACs in the form of xx:xx:xx:xx:xx:xx not 3 times that length. As an added twist, the first part of the address is ff:ff:ff:ff:ff:ff .

    I was wondering if there was some sort of secret decoder ring that says "it's really 3 MAC's, the first is the blah blah blah, second is blah blah" etc or "the first and last are just random numbres, its really the middle" or some other de-mystifying explanation.
  4. Roimeister

    Roimeister LI Guru Member

    After some testing, I've gotten a partial answer...

    The "MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x x:xx:xx" in the syslog entry actually is 3 MACs concatenated. The first is the destination MAC, the second is the source MAC.

    My ISP provides "unlimited" dhcp addresses so I plugged my router into a mini-hub and plugged my PC into the mini-hub also. Then I pinged my routers WAN address from my PC. Sure enough, I was able to decode from looking at all the known MACs. I'm assuming the ff:ff:ff:ff:ff:ff entry was a broadcast MAC.

    I'm still clueless about the third portion of the MAC since it doesn't appear to be anything close to any of my known MACs. Any ideas?

Share This Page