cancel
Showing results for 
Search instead for 
Did you mean: 

Confused about an entry in the PN Hub2's technical log

greygit1
Aspiring Pro
Posts: 411
Thanks: 56
Fixes: 1
Registered: ‎26-06-2023

Confused about an entry in the PN Hub2's technical log

 

10:25:11, 19 Sep.
2.4G client Mac: 48:48:46:46:46:46 Deauthentications (Reason:Deauthenticated because sending station is leaving (or has left) IBSS or ESS)

 

Not a valid registed MAC as far as I can find out. The 'sending station' never regsitered/authenticated, so I'm currently assuming it was part of the Hub2's boot procedure.
6 REPLIES 6
Dan_the_Van
Hero
Posts: 3,155
Thanks: 1,573
Fixes: 90
Registered: ‎25-06-2007

Re: Confused about an entry in the PN Hub2's technical log

Hi @greygit1 

The mac address 48:48:46:46:46:46 is likely to be a randomised one created by a wireless device, the randomisation is used to make the device more private. This helps prevents a device hardware type being identified from the MAC Address and harder to track.

Example Mac Address search B8:27:EB:xx:xx:xx identifies the device being a raspberry pi, in some cases it may just come up as network card manufacture.

Nothing to worry about

HTH 

 

greygit1
Aspiring Pro
Posts: 411
Thanks: 56
Fixes: 1
Registered: ‎26-06-2023

Re: Confused about an entry in the PN Hub2's technical log

That's almost what I was thinking, but I thought I'd float the entry to see what others may say. I'm used to one of the kids turning up with an Apple device, so odd MAC addresses isn't something I'm unfamialr with. It was just the lack of an authentication attempt in the log. (I'm aware that MAC addresses are part of IPv6 packets, and hence the ability to spoof MACs)

 

I'm currently assuming it is a 'chancer' trying to piggy-back the wireless connection.

 

A recent reboot reveals these three consecutive (with no other intervening entries in the log)

 

00:57:14, 20 Sep. 2.4G client Mac: 00:00:00:00:00:00 Deauthentications (Reason:Deauthenticated because sending station is leaving (or has left) IBSS or ESS)
00:56:57, 20 Sep. 2.4G WiFi auto selected channel 11 Bandwidth:20M(Reason:boot)
00:56:54, 20 Sep. 2.4G WiFi scan(Reason:boot)

 

However, the Hub2 logs do not disclose any attempts to authenticate or join the wireless network prior to the 'Deauthentication'.

Dan_the_Van
Hero
Posts: 3,155
Thanks: 1,573
Fixes: 90
Registered: ‎25-06-2007

Re: Confused about an entry in the PN Hub2's technical log

A MAC address of all zero's is not something I have come across before. It appears 00:00:00 vendor assignment is Xerox

Have you noticed the all zero's MAC Address at any other time other than just after a reboot.?

 

greygit1
Aspiring Pro
Posts: 411
Thanks: 56
Fixes: 1
Registered: ‎26-06-2023

Re: Confused about an entry in the PN Hub2's technical log

Unfortunately not. If there was I could try flicking switches on individual power supplies to see if any further enlightenment would emerge

 

I'm trying to review saved log files to see whether the commencement of these irritating/interesting oddities coincides (or nearly coincides) with a couple of recently(ish) installed wifi-only connected devices. There are one or three on the suspect list. Two are easily powered off; the other not so easily.

 

At the moment the only thing I can say is that the entries started after a week-long lack on internet. I can't see similar entries during the outage.

 

Cheers for input. I'm not 'worried' about the entry. I'm not seeing any oddities in ARP tables. Just very curious. And I'm sure that manufacturers of wifi-enabled devices don't always stick to standards.

 

Anyone with further ideas?

 

(Other interesting entry in the Hub2 log file...

 

<<<<<<<<<<<<<<<<<<<< Limit of Hidden WAN log >>>>>>>>>>>>>>>>>>>>

 

And that various elements of the log appear to have differing retention periods

 

FW log limit hit first first

Wire LAN log next

Then Hidden WAN log

Then DHCP log

Followed by WiFi log

then the TR069 log

And the WAN log

And the NTP log

And finally the GUI log

But I cannot be sure whether these are time limited or due to allocated storage limits, or possibly a combination).

greygit1
Aspiring Pro
Posts: 411
Thanks: 56
Fixes: 1
Registered: ‎26-06-2023

Re: Confused about an entry in the PN Hub2's technical log

After dredging through half-remembered knowledge of various network protocols I think 00:00:00:00:00:00 may be related to DHCP and/or LAN broadcasts. That'd fit in with a boot up of a DHCP server.

 

https://networkengineering.stackexchange.com/questions/46983/router-issued-arp-requests-target-mac-b...

Dan_the_Van
Hero
Posts: 3,155
Thanks: 1,573
Fixes: 90
Registered: ‎25-06-2007

Re: Confused about an entry in the PN Hub2's technical log

In general with the Hub Two I export the event log as a CSV file and review it with Notepad plus.
I'm not sure but the date/time limit you noted are for the filter applied and maybe not the complete log.
Currently not in a position to check that theory.