Reset Search
 

 

Article

Why does my stack display the source Ethernet address as MS-NLB-PhysServer-04 (02:04:96:xx:xx:xx) in a Wireshark capture?

« Go Back

Information

 
TitleWhy does my stack display the source Ethernet address as MS-NLB-PhysServer-04 (02:04:96:xx:xx:xx) in a Wireshark capture?
Question
Why does my stack display the source Ethernet address as MS-NLB-PhysServer-04 (02:04:96:xx:xx:xx) in a Wireshark capture?

Example:
Stack Capture
Environment
EXOS Stacking
Answer
When stacking is enabled, a 02 is added to the first octet in the stack MAC address.

Wireshark uses Ethernet vendor codes, and well-known MAC addresses to translate the MAC OUI. This can be located in the Wireshark 'manuf' file, located in the install folder.  02: in the begining of the MAC means the MAC is
locally administered and any vendor can use these addresses.

In the file, 02-04-00-00-00-00/16 is translated to MS-NLB-PhysServer-04 which then displays MS-NLB-PhysServer-04 as the vendor name in the capture due to the translation. The vendor name can be edited within the file if needed.
Additional notes
A bug with Wireshark was submitted, and this should be fixed in wireshark in the February 2017 release.

Bug report:
https://code.wireshark.org/review/#/c/15753/

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255