Re: Strange pings from 127.0.0.1

[Alan Hicks <alan () lizella net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Jun 21, 2004, at 10:17 AM, Andrew Aris wrote:
> I'm coming into this thread partway through so sorry if this is a dumb 
> reply
> but if the mAC address is always the same then surely this could be 
> used to
> trace the culprit host?

Not necessarily. The source MAC will only tell you the last hop the 
packet went through. If the offending host is on the same subnet as you 
(i.e. no router between you and he) then the MAC can be used to trace 
back to the machine. Otherwise, you're in trouble. If you have a login 
on the router between you and he, you may be able to do an arp lookup 
on that router to find it.  If that doesn't work, you have to go 
through the next router, etc.

Of course, these things are coming from the localhost address, which 
means they are probably being routed on the loopback interface, and as 
such are packets from him to him.

- -- 

It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQFA2QellKR45I6cfKARAgRwAKCM90YcgRDyLVGyspRye2qWeKGSZwCcD5JW
w2E+A5ockOe5E6FdD7y2w+o=
=kU1t
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------