Snort mailing list archives

RE: Mac Address

From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Mon, 16 Sep 2002 14:56:43 -0400

NBNS (NetBIOS Name Service) has a field for the remote MAC address.
However, while Windows fills in this field, SAMBA (Linux NetBIOS) leaves
it empty. Using Windows, you can remotely query this by doing a "NetBIOS
NodeStatus Query" using the "nbtstat.exe" command-line program. Example:
nbtstat -A 192.0.2.111

Also, if a remote target has SNMP enabled, you can often retrieve the
remote MAC address with suitable queries. More importantly, you can also
get the remote MAC address by querying a nearby machine's ARP cache.


-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:glratt () rice edu]
Sent: Friday, September 13, 2002 8:54 AM
To: snort-users () lists sourceforge net
Cc: focus-ids () securityfocus com
Subject: Re: [Snort-users] Mac Address


On Fri, 13 Sep 2002, jai wrote:

Hi,

Is it possible to get the MAC address for remote machine( which is
in different network). ??


        In some circumstances:

        - if you have administrative control over the different network
        to which the remote machine is connected;

        - if the the remote machine is running a protocol that would
        include the MAC address in the packet data (I'm aware of
        protocols - IPSec, NBNS - that include the remote IP in some
        way, but none that include the MAC).

        Both circumstances are unlikely.

                -g


                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu


-------------------------------------------------------
Sponsored by: AMD - Your access to the experts on Hammer Technology!
Open Source & Linux Developers, register now for the AMD Developer
Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Mac Address jai (Sep 13)
- Re: Mac Address Glenn Forbes Fleming Larratt (Sep 13)
- Re: Mac Address Bennett Todd (Sep 13)
- <Possible follow-ups>
- RE: Mac Address Graham, Robert (ISS Atlanta) (Sep 16)