I wanted to reach out to this community and see what information I can gain to figure out an issue we are having.
We use UDT to track MAC addresses and receive alerts.
Our nodes are defined as all of our managed switches (all same vendor - Netgear managed switches).
Sometimes once a day, often twice, rarely 3 or more times... I will get an alert that there is a Rogue Mac Address detected. These are always vendorless MAC addresses and they are not the same - they almost appear to be randomly generated. Often they are detected on a trunk port, and show a list of nodes/switches which have had an indirect connection. Rarely, I will get a direct connect (from a trunk port to another switch), but I am certain no one is plugging anything into these ports as they are locked behind closed doors.
Something is picking up these in the MAC address tables. There is never an IP associated to the MAC - so the arp tables haven't presented any leads.
To try to get more information, I setup Wireshark and captured a rotating set of logs over 24 hours. I got 3 hits and I can find the detected MAC address in the list once each over a 3 hour period (when it is detected). It doesn't give enough information to determine and the dataset in the packet doesn't appear to give any useful information.
I wanted to ask if anyone has run into a similar situation as this? We really like the idea of using UDT - we are heavily into compliance and this is a very useful solution for us. However, as it stands, the solution is useless to us if it provides false positives that we are unable to track down. We have no way of knowing what is an actual alert or something out there creating and destroying a MAC address for use as an internal function.
Glad to provide more information if I can.
We have the same issue -- to the point it has rendered UDT pretty useless. We can't turn on alerting or we get 7-8 "false" alerts per day.
Does anyone know if this has been resolved?
The manager in charge is ready to pitch UDT in the trashcan and move on to another product.
So the problem we are running into (in my case and it sounds like the original posters issue) is I am only monitoring the interesting ports example 1-30 and leaving 31-48 un-monitored and port 49 (Fiber Port) is a trunk port and is seeing the Arp Traffic. When i worked with Solarwinds Support on this that also confirmed this is not expected behavior and UDT is misbehaving.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.