Help converting iptables 'MAC' to Ethernet address
Bob Gustafson
bobgus@mcs.com
Wed, 5 Jul 2000 20:23:49 -0500
On Thu, 6 Jul 2000 05:09:30 +1000, Bill Binko wrote:
>Hello all,
> I have recently been the target of a smurf attack and was using iptables
>to try to track down the offender. I wrote rules that logged the traffic,
>and limited their effect. This worked great and I don't even notice the
>attacks now. However, I would like to track down the user. The log output
>looks like this:
>
>Jul 5 15:09:44 gate kernel: [SMURF ATTACK] IN=eth1 OUT=
>MAC=ff:ff:ff:ff:ff:ff:00:30:19:9a:a4:00:08:00 SRC=38.27.184.177
>DST=255.255.255.255 LEN=47 TOS=0x00 PREC=0x00 TTL=116 ID=4969 PROTO=ICMP
>TYPE=8 CODE=0 ID=0 SEQ=0
>
>I would like to sniff the network and watch for "real" traffic with the same
>hardware address. However, I cannot seem to figure out how the 14 byte
>'MAC' address can be mapped to a 6 byte Ethernet address. Can anyone help
>with this? Am I missing something simple?
>
>I thought it would be something like 'the high/low 6 bytes' were the
>Ethernet address, but I did a test and my ethernet address
>(00:60:97:CF:CA:C7) maps to (MAC=45:00:00:54:00:00:40:00:01:01:a2:4d:d8:88)
>in the iptables logging. I don't see a pattern.
>
>Thanks!
>Bill
Good sniffing. Ethernet hardware addresses are 6 bytes
The code that prints out what you are seeing is in:
/usr/src/linux/net/ipv4/netfilter/ipt_LOG.c
and is:
if (in && !out) {
/* MAC logging for input chain only. */
printk("MAC=");
if ((*pskb)->dev && (*pskb)->dev->hard_header_len) {
int i;
unsigned char *p = (*pskb)->mac.raw;
for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
printk("%02x%c", *p,
i==(*pskb)->dev->hard_header_len - 1
? ' ':':');
}
}
It is my guess that there is bogus data (14) in dev->hard_header_len and in
mac.raw, but...
Bob Gustafson