Header Only - DO NOT REMOVE - Extreme Networks

Details to RADAR messages


Userlevel 1
Hi guys,

can somenone please explain what is meant in Radar Analysis Engine message when the shown MAC address is like this (FF:FF:FF:FF:FF:FF)??

Full message is:

Security threat [Denial of Service] detected by AP [DZAP017], SN
[XXXXXXXX85G0000].
Details: state [inactive], location [Bauteil D - 1. OG - Flur mitte], channel
[44], frequency [5220MHz], associated MAC [FF:FF:FF:FF:FF:FF], RSS [-78],
description [Invalid disconnect
code attack]


Security threat [Denial of Service] detected by AP [DZAP002], SN
[XXXXXXXXX85B0000].
Details: state [active], location [EDV - Systemgruppe], channel [44], frequency
[5220MHz], associated MAC [FF:FF:FF:FF:FF:FF], RSS [-77], description
[Authentication
frame flood attack]

Regards,
Stephan

3 replies

I also get lots of these.. IDK if they are true or not because I put a Cisco 3701-i AP in the area and it detected nothing of the sort.
Userlevel 7
Typically the all FF's Indicates that a wireless client is trying to inject these messages but purposely obfuscating it’s MAC address or this could be a client with a bad card driver, there’s not enough info to pin-point which client is the source.

You can work with GTAC by taking a trace of the air when the issue occurs, then providing that trace to GTAC for review.

Doug
Userlevel 1
Doug, thank you very much! Great work - as always.

Stephan

Reply