Re: Mac Address

[Bennett Todd <bet () rahul net>]

2002-09-13-08:10:15 jai:
> Is it possible to get the MAC address for remote machine ...

The MAC addresses on a packet are preserved in the binary packet
logs, you can get them out of there. This can be a helpful trick
when figuring out where an alert came from when you have
consolidated a lot of input sources into a single snort.

But the MAC src address in an arriving packet is only the MAC
address of the "remote machine" when that machine is directly
connected to the same logical net as the snorter; each time a packet
crosses a router, the src MAC addr is rewritten. MAC addrs apply
only on a single LAN.

> ( which is in different network). ?? 

Nope, the src MAC addr is gone when it hits the first router on its
way to you. You can of course ask that router's ARP table, but that
doesn't preserve historical data, and isn't relevant if you've got a
packet with a forged src IP addr.

-Bennett

Attachment: _bin
Description: