Anybody else seeing weird syslog messages coming from MR33 for flow reports?

Steven
Getting noticed

Anybody else seeing weird syslog messages coming from MR33 for flow reports?

I'm seeing all kinds of crazy ip src/dst addresses, MAC addresses and protocol numbers showing up in syslog flow reports coming out of MR33s.  For example:

 

src=0.0.1.0 dst=0.0.0.0

src=226.203.172.48

protocol=16

protocol=g (that's not a typo - lowercase 'g')

 

There are also numerous examples wherein the last two octets of a dst address (in decimal form) match the first two octets of the MAC address (in hex notation).  So for example the dst address is x.x.228.112 and the first two octets of the MAC just happen to be E4:70

 

I haven't been able to capture any of these unicorn flows in PCAP so I suspect that it's some kind of bug in how the MR33 goes about building the message string.

 

Has anybody else run into this?  Just curious.

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Running 25.11 firmware?

Yes

It looks like the MR33 is misidentifying a WLCCP packet as the start of an IP flow and it's pulling src/dst IP address and protocol number information from the data stream to build the syslog msg.

 

wlccp2.jpg

 

The fields seem to line up quite nicely.  Protocol number byte two bytes in front of the "src ip".

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.