Packet Analysis -part2
Last Post: February 4, 2009:
We have a controller based solution with thin APs. You can't remote to the AP itself. We already have it on a console port mngt connection on the controller.
Thats was my next step. I'm going to take the AP down and mostly more and scan the environment again. I just wished it would show the source mac. I've been on the look out for anything not normal!
I'm going to double check all the beacons to check for any rogues. I know there are soem ADHOC beacons.
I have a quick question. I know beacons are broadcast out to all station therefor the destination is FF:FF:FF:FF:FF:FF. I've never seen FF:FF:FF:FF:FF:FF in the source. Any comments on that?
Have you made any changes to your WLAN controller? Any Network changes to it? A broadcast address as a source is new to me but maybe an attempt to mask they're source address for the previously mentioned DOS attack. If it is a device in your area of influence, a laptop could be running AP software, its alittle far fetched for this but don't overlook the possibility. Maybe someone else has seen this condition with a source Broadcast address?
No configuration changes. Just adding APs. I been trying to research the FF:FF:FF:FF:FF:FF source and found many users experiencing this issue with their computers. Mostly computers that have MAC of FF:FF:FF:FF:FF:FF. I'm not sure if this is the same situtation but it could be. I just have to locate it so users can load web pages. Right now they are not able to load anything. I may change the channel and see if that helps.
Was wondering if you were able to track down the CTS frames via signal?
Im stumped... I cant wait to see what you find!
What WLAN are you using?
What type of building are you in?
Unfortunately, it's residence hall. It has 4 floors and about 50 APs.
I haven't been there today. I'm planning to go on Wednesday.
Yea. I'm stumped also. If I find anything, I will post.
Thanks everyone for the help. If anything else pops in mind, post it up!
I'll take a look at the captures when I get home tonight. They are on my tablet.
What part of the country are you in?
From what I remember, your captures contained a high number of CTS frames. CTS frames with an all FF's source is weird. Most of the time you will see CTS frames without any source. These are called CTS to Self and are used with 11g protection mechanisms.
Do you have 11b devices on this network? From the screen shot you posted, I can see that no 11b devices are associated to this AP.
What model of equipment are you using?
Try this: Disable the 1, 2, 5.5 and 11 Mbps data rates. Even if you have 11b devices, try this and see how the 11g devices react. I'll be a nickel that you will see a significant increase in speed. If you can capture traffic with those data rates shut down that would also help.
Thanks for the reply. I'm located in GA. We have a controller based solution. I know turning the B data rates off will increase proformance but I'm not sure if I'll be able to do that because of the controllers. Since we are using thin APs, I will have to create a new radio profile and set these AP to use that profile. I'm aware of the CTS to Self frames but I've never seen them from an all FF or blank source. I will try to disable these data rates but I will have to enable them back. I'm also going to change the channel and see if this all FF source will follow. Again, Thanks for the time and input from everyone!