[unisog] Xbox: making up MAC 00:50:F2:* and IP address

Elliot Metsger emetsger at jhu.edu
Tue Dec 4 17:21:40 GMT 2001


Could you post a couple hex dumps of the packets?  I'd be interested in 
taking a look!


David P. Allen wrote:

> On Tue, 4 Dec 2001, Irwin Tillman wrote:
>>I've begun seeing IP traffic apparently from a Microsoft Xbox attached
>>to our campus network.
>>I'm seeing UDP broadcasts from to 255.255.255(3074).
>>(Although in a few cases, the IPsrc was  Yes,
>>that's right.)  Naturally, these hit my IP egress spoof filters.
>>3074 is assigned as the xbox port (as per IANA).
>>The broadcasts are coming from a wide variety of MAC sources, all
>>starting with 00:50:F2.  These are all apparently coming from a single
>>device; it seems to me that the device uses (makes up?) many different
>>MAC addresses, changing often.
>>I've looked for any technical information that would explain why the
>>device grabs an IP address not belonging to it, and appears to make up
>>all those MAC addresses.  (This doesn't appear right to me.)  Haven't
>>found anything at Microsoft's xbox site, or other news/web searches,
>>other than to confirm that someone else has begun seeing the traffic
>>Anyone have any pointers to technical info about why the device is doing
>>this (and how to get it to behave better)?
> I am under the impression that the XBox uses IPv6 for it's addressing
> system.  That's how it can basically cluster with other XBoxen for
> multiplayer games.  As you may know, with IPv6 it is designed to
> automatically find the addresses it needs for a variety of communication
> zones possibly resulting in _multiple_ addresses for any given device on
> the network.
> I'll take a wild guess and say that what you're seeing is possibly a
> result of some non-IPv6 aware hardware/software trying to interpret those
> packets.
> I haven't had a chance to test this theory (anyone willing to give me an
> XBox?), but it was my impression that by default the XBox was not IPv4
> addressable and was reliant on IPv6 to avoid confusing users with
> configuration options.
> Can anyone else comment on this hypothesis?
> David P. Allen
> Network Manager
> Pacific Lutheran University
> { (253) 535-7524          | "...one of the main causes of the fall of  }
> { allendp at PLU.edu         |  Rome was that, lacking zero, they had no  }
> { www.plu.edu/~allendp    |  way to indicate successful termination of }
> {                         |  their C programs."         --Robert Firth }

More information about the unisog mailing list