Meraki

Community

Malicious Broadcasts

Clickster
Comes here often
‎Mar 28 2022 7:00 PM
‎Mar 28 2022 7:00 PM

Malicious Broadcasts

When I'm looking at the Malicious Broadcasts tab, I see the AP that saw the broadcasts, then there is a field for MAC.  Is that the MAC of the AP or the MAC of the device that the malicious broadcasts originated from?  

I'm asking because I would assume the latter, but the MACs that are showing up are the MACs for the APs that says they saw the broadcasts.  

In other words, the row says "Seen By" AP1 (whose MAC is AA:BB:CC:DD:EE:FF:11) and "MAC"  AA:BB:CC:DD:EE:FF:11.  

 

These are broadcast deauth packets.

Labels:
0 Kudos
2 Replies 2
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 28 2022 7:22 PM
‎Mar 28 2022 7:22 PM

Hi,

 

Do you have AirMarshal and containment enabled ?

 

So you are saying that one of your AP is present in the ''Malicious broadcasts'' page on your network ?

0 Kudos
In response to RaphaelL
Clickster
Comes here often
‎Mar 28 2022 7:48 PM
‎Mar 28 2022 7:48 PM

There are 6 APs in the building. All 6 show up at one time or another as the "seen by" AP. In every case, the MAC listed under the "MAC" column is the MAC of the AP in question.
I sometimes, but not always, will see an AP spoof whose time stamp and AP match up with the malicious broadcast.

I'm not sure if this is what you're asking regarding whether Air Marshal is enabled and containing. At the moment I have it set to block clients from connecting to rogue SSIDs.
There is a single listing under rogue SSIDs but I think it's a general listing with the SSID as "hidden" and the broadcast MAC as XXX (and 378 others).

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.