Help converting iptables 'MAC' to Ethernet address
Bill Binko
Bill.Binko@trcinc.com
Wed, 5 Jul 2000 15:07:50 -0400
Hello all,
I have recently been the target of a smurf attack and was using iptables
to try to track down the offender. I wrote rules that logged the traffic,
and limited their effect. This worked great and I don't even notice the
attacks now. However, I would like to track down the user. The log output
looks like this:
Jul 5 15:09:44 gate kernel: [SMURF ATTACK] IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:30:19:9a:a4:00:08:00 SRC=38.27.184.177
DST=255.255.255.255 LEN=47 TOS=0x00 PREC=0x00 TTL=116 ID=4969 PROTO=ICMP
TYPE=8 CODE=0 ID=0 SEQ=0
I would like to sniff the network and watch for "real" traffic with the same
hardware address. However, I cannot seem to figure out how the 14 byte
'MAC' address can be mapped to a 6 byte Ethernet address. Can anyone help
with this? Am I missing something simple?
I thought it would be something like 'the high/low 6 bytes' were the
Ethernet address, but I did a test and my ethernet address
(00:60:97:CF:CA:C7) maps to (MAC=45:00:00:54:00:00:40:00:01:01:a2:4d:d8:88)
in the iptables logging. I don't see a pattern.
Thanks!
Bill