Subscriber Discussion

MAC Address Spoofing

UE
Undisclosed End User #1
Aug 04, 2015

Does anyone have experience dealing with MAC address spoofing when using Cisco Switch Sticky MAC enabled for Panasonic cameras in particular a WV-SW559?

Firmware is current at Application 1.62 version & Image data at 2.33

Only ports open on camera are 80,554 checked ports 1-65256

VMS is OnSSI using NetDVMS version 6.5. In process of moving to Ocularis 5.0

UM
Undisclosed Manufacturer #2
Aug 05, 2015

Can you explain what you are trying to do, or what the issue is?

UE
Undisclosed End User #1
Aug 05, 2015

We are trying to clearup why on Cisco switches at different sites, with port security is enabled we have a security violation.

Cisco switches are identical at both sites with software, etc.

A panasonic WV-SF539 camera is installed at both locations.

Error message displayed is as follows:

This error comes from our Cisco switch with MAC security turned on. This security is commonly called sticky MAC security.

Aug 4 13:45:04 xx.xx.x.x 231511: Aug 4 13:45:03.548 CDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.4006.0000 on port GigabitEthernet1/0/15. xx.xx.x.x is the switch IP address.

Installed Panasonic WV-SF539 camera shows:

WV-SW559
MAC address 08-00-23-9A-D1-7B
Serial no. LIV04395
Firmware version
1 Application: 1.62
2 Image data: 2.33
IPL version 1.00
HTML version ENG 2.00
IP address(IPv6) Linklocal fe80::a00:23ff:fe9a:d17b

using aruljohn.com/mac.pl to lookup MAC address info

shows

00:00:40 APPLICON, INC.

Thus the 0000.4006.0000 we believe is a spoof MAC address

perhaps in the Panasonic WV-SF539 camera software.

In all cases the camera is online and recording using

OnSSI VMS software.

UM
Undisclosed Manufacturer #2
Aug 05, 2015

You list two different model cameras. Which one is actually installed? Was this camera ever sent for repair? If so, the mac could have been reprogramed...

Are you sure that there are no other devices (network switch) plugged in to that port on the switch?

UE
Undisclosed End User #1
Aug 05, 2015

The only camera model is WV-SW559 sorry about mentioning WV-SF539 currently working on this camera on my desk.

The WV-SW559 camera is the only device plugged into port on Cisco switch.

Details below.

  • Golf Center

1428 0800.239a.d17b STATIC Gi1/0/11

camera is using 10.14.28.106

mask 255.255.255.0

gateway 10.14.28.1

VLAN info is 1428

WV-SW559
MAC address 08-00-23-9A-D1-7B

Does not seem to matter if you move camera to another port on switch you have the

same spoof MAC address. Results below did not paste from camera.

IPv4 network
Network Settings
IP address(IPv4) . . .
Subnet mask . . .
Default gateway

. . .

UE
Undisclosed End User #1
Aug 05, 2015

Camera has not been send off for repair

TC
Trisha (Chris' wife) Dearing
Aug 05, 2015
IPVMU Certified

Hi 1!

Interesting case. Questions:

  1. Are the cameras sending frames with their own Panasonic ethernet MACs as well?
  2. Did they ever work without causing a violation?
  3. Have the cameras been defaulted since the violations?
  4. Do you have the Cisco Sticky Mac configuration set to shut the port down on violation?

One thing you could try is setting the switch to not shutdown the port but just deny and log the violations, just temporarily. That way you would be able to see if its just on boot-up and/or how frequent the packets are being sent out.

If you can put the camera on an isolated test network with just a PC then you could run wireshark on the PC and see what protocols and messages the spoofed ethernet address is sending. You may be able to get this eaiser thru the switch, but it wasn't obvious to me how to get more then the violation information you shared.

Going further, if you could enable telnet or ssh on panosonic camera, you should be able to track down the actual process that is spoofing using tcpdump and netstat etc.

btw, I HAVE actually seen cameras use more than one ethernet address breifly during boot (and not just on dual wired/wireless cameras). Both an Axis camera I have and an Everfocus one start out with a different MAC for just a few seconds before switching to the 'real' one on the label.

That said, the MAC addresses always have the same OUI, so this seems different.

Finally, OUI 00:00:40 is really ancient, it's actually the 65th OUI ever issued; the first ten went right to Xerox (surprise), and Applicon went out of business long before the camera was ever made.

Super long shot: Applicon's assets eventually ended up being owned by Siemens AG. So its possible that they sold it or are using it themselves.

Avatar
Brian Rhodes
Aug 05, 2015
IPVMU Certified

camera is using 10.14.28.106

Have you confirmed no other devices are trying to use this IP address?

UE
Undisclosed End User #1
Aug 05, 2015

Yes

Using Angry IP Scanner results below:

Angry-IP-scan for subnet

TC
Trisha (Chris' wife) Dearing
Aug 05, 2015
IPVMU Certified

Only ports open on camera are 80,554...

Just to note that this would be the only open incoming ports. Ephemeral outgoing ports used by a rogue program on the camera are likely open.

Who initiates the conversation and whether it is directed from/to a specific host or broadcast is one thing that wireshark or tcpdump would tell you.

UE
Undisclosed End User #1
Aug 05, 2015

Thanks for the help, I will be speaking with our Networking team tomorrow.

They are the Cisco experts and can try some of the items you suggested.

Cameras were recently purchased in past two years. One site online 16 months or so the other site online for 18 months. Just recently this error has occured within the past two months.

We don't have any other Panasonic cameras displaying these problems. We have a mixture of Sony,Panasonic,IQinvision,Toshiba,Arecont, and Sony video encoders supporting analog cameras.

Background, we are a City Government in North Texas with 300 plus cameras and have been networking cameras since 2006 when we started with OnSSI NETDVMS platform. Currently we are using EMC/Isilon storage array supporting cameras using approx. 67 TB. Plans are underway to move to the Ocularis 5.0 platform from the NetGuard client loaded on PC's, etc.

(1)
UE
Undisclosed End User #1
May 23, 2016

Issue resolved by applying firmware update to Panasonic cameras.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions