I wanted to reach out to this community and see what information I can gain to figure out an issue we are having.
We use UDT to track MAC addresses and receive alerts.
Our nodes are defined as all of our managed switches (all same vendor - Netgear managed switches).
Sometimes once a day, often twice, rarely 3 or more times... I will get an alert that there is a Rogue Mac Address detected. These are always vendorless MAC addresses and they are not the same - they almost appear to be randomly generated. Often they are detected on a trunk port, and show a list of nodes/switches which have had an indirect connection. Rarely, I will get a direct connect (from a trunk port to another switch), but I am certain no one is plugging anything into these ports as they are locked behind closed doors.
Something is picking up these in the MAC address tables. There is never an IP associated to the MAC - so the arp tables haven't presented any leads.
To try to get more information, I setup Wireshark and captured a rotating set of logs over 24 hours. I got 3 hits and I can find the detected MAC address in the list once each over a 3 hour period (when it is detected). It doesn't give enough information to determine and the dataset in the packet doesn't appear to give any useful information.
I wanted to ask if anyone has run into a similar situation as this? We really like the idea of using UDT - we are heavily into compliance and this is a very useful solution for us. However, as it stands, the solution is useless to us if it provides false positives that we are unable to track down. We have no way of knowing what is an actual alert or something out there creating and destroying a MAC address for use as an internal function.
Glad to provide more information if I can.