Snort mailing list archives
Re: Snorting the MAC address
From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 11 Apr 2002 16:49:15 -0700
At 4:01 PM -0600 4/11/02, Nate Haggard wrote:
Snort grabs IPs, and that is great until someone tries to spoof their IP. Is there anyway to get snort to log both the IP and MAC address. Does anyone know what part of the code to look at for this feature? Maybe there is a good reason snort doesn't log the MAC and I'm just clueless.
Acknowledging the limitations others have pointed out, the answer to your question is the snort -e option.
-e Display the second layer header infoI've found the MAC information useful; it can help you figure out network topology. Also if you know the MAC of your router, you can sanity check that a packet came through there rather than having a local origin.
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting the MAC address Nate Haggard (Apr 11)
- Re: Snorting the MAC address Erek Adams (Apr 11)
- Re: Snorting the MAC address Jason Yates (Apr 11)
- Re: Snorting the MAC address James Hoagland (Apr 11)
- <Possible follow-ups>
- RE: Snorting the MAC address Turner Ryan S CONT KPWA (Apr 11)
- RE: Snorting the MAC address Matt Kettler (Apr 11)
- Re: Snorting the MAC address SkatFiend (Apr 12)