cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anybody else seeing weird syslog messages coming from MR33 for flow reports?

Getting noticed

Anybody else seeing weird syslog messages coming from MR33 for flow reports?

I'm seeing all kinds of crazy ip src/dst addresses, MAC addresses and protocol numbers showing up in syslog flow reports coming out of MR33s.  For example:

 

src=0.0.1.0 dst=0.0.0.0

src=226.203.172.48

protocol=16

protocol=g (that's not a typo - lowercase 'g')

 

There are also numerous examples wherein the last two octets of a dst address (in decimal form) match the first two octets of the MAC address (in hex notation).  So for example the dst address is x.x.228.112 and the first two octets of the MAC just happen to be E4:70

 

I haven't been able to capture any of these unicorn flows in PCAP so I suspect that it's some kind of bug in how the MR33 goes about building the message string.

 

Has anybody else run into this?  Just curious.

3 REPLIES 3
Kind of a big deal

Re: Anybody else seeing weird syslog messages coming from MR33 for flow reports?

Running 25.11 firmware?

Getting noticed

Re: Anybody else seeing weird syslog messages coming from MR33 for flow reports?

Yes

Getting noticed

Re: Anybody else seeing weird syslog messages coming from MR33 for flow reports?

It looks like the MR33 is misidentifying a WLCCP packet as the start of an IP flow and it's pulling src/dst IP address and protocol number information from the data stream to build the syslog msg.

 

wlccp2.jpg

 

The fields seem to line up quite nicely.  Protocol number byte two bytes in front of the "src ip".

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.