Wireshark · Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 17, Issue 16

["Chad Dailey" <chad@xxxxxxxxxxxxxxxxxxx>]

Cadant is an older manufacturer of cable modem termination gear, purchased by Arris.  You're probably seeing an attempt to autoconfigure a management address which likely shouldn't be on your net.  Unless you're a DHCP server admin for whatever this equipment is for, ignore it, it's more or less harmless.  If you really want to find out where it is, chase it through your layer two MAC forwarding database in your switches.  Likely, it won't show up in a layer three flow table.

Happy hunting,
Chad

On 10/13/07, James Ortega <admiral.ross@xxxxxxxxx> wrote:

Thanks Chad for replying.  This is driving me nuts because I really don't know what it all means and how to turn it all off.  As for the packet that is what syslog shows.  I'm assuming the rest of it get truncated.  In addition, I don't have any mac with that manufacture in my network.  I'm wondering if I turn off DHCP to test for a day or two will these messages disappear.  Now if I can get a packet analyzer to pick up the data from mysql it would be able to tell me what everything is.  Maybe even give me stats and graphs, like Ntop. 

 

---

MSN: admiral.ross, Y!: admiral.ross, AIM: admiralwross
http://r-loc-one.com, http://stb575.com

-----Inline Attachment Follows-----

No IP UDP forwarder (aka IP helper or DHCP helper) configured on the router would be my guess.  Since the packet has a source address, I'll also guess that these are rebind packets instead of renews or discovers, but you didn't post the whole frame...  Source mac info points to:

00-01-5C   (hex)        CADANT INC.
00015C     (base 16)        CADANT INC.
                4343 Commerce Court - Ste. #207
                Lisle IL 60532
                UNITED STATES

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users