I'm seeing all kinds of crazy ip src/dst addresses, MAC addresses and protocol numbers showing up in syslog flow reports coming out of MR33s. For example:
protocol=g (that's not a typo - lowercase 'g')
There are also numerous examples wherein the last two octets of a dst address (in decimal form) match the first two octets of the MAC address (in hex notation). So for example the dst address is x.x.228.112 and the first two octets of the MAC just happen to be E4:70
I haven't been able to capture any of these unicorn flows in PCAP so I suspect that it's some kind of bug in how the MR33 goes about building the message string.
Has anybody else run into this? Just curious.
It looks like the MR33 is misidentifying a WLCCP packet as the start of an IP flow and it's pulling src/dst IP address and protocol number information from the data stream to build the syslog msg.
The fields seem to line up quite nicely. Protocol number byte two bytes in front of the "src ip".