Snort mailing list archives
Re: Mac Address
From: Bennett Todd <bet () rahul net>
Date: Fri, 13 Sep 2002 09:16:01 -0400
2002-09-13-08:10:15 jai:
Is it possible to get the MAC address for remote machine ...
The MAC addresses on a packet are preserved in the binary packet logs, you can get them out of there. This can be a helpful trick when figuring out where an alert came from when you have consolidated a lot of input sources into a single snort. But the MAC src address in an arriving packet is only the MAC address of the "remote machine" when that machine is directly connected to the same logical net as the snorter; each time a packet crosses a router, the src MAC addr is rewritten. MAC addrs apply only on a single LAN.
( which is in different network). ??
Nope, the src MAC addr is gone when it hits the first router on its way to you. You can of course ask that router's ARP table, but that doesn't preserve historical data, and isn't relevant if you've got a packet with a forged src IP addr. -Bennett
Attachment:
_bin
Description:
Current thread:
- Mac Address jai (Sep 13)
- Re: Mac Address Glenn Forbes Fleming Larratt (Sep 13)
- Re: Mac Address Bennett Todd (Sep 13)
- <Possible follow-ups>
- RE: Mac Address Graham, Robert (ISS Atlanta) (Sep 16)