Help converting iptables 'MAC' to Ethernet address
Rusty Russell
rusty@linuxcare.com.au
Thu, 06 Jul 2000 22:08:05 +1000
In message <E33A3CEA01E0D31191F30000D11C1637252634@trc-tpaexc02.trcinc.com> you
write:
> Hello all,
> I have recently been the target of a smurf attack and was using iptables
> to try to track down the offender. I wrote rules that logged the traffic,
> and limited their effect. This worked great and I don't even notice the
> attacks now. However, I would like to track down the user. The log output
> looks like this:
>
> Jul 5 15:09:44 gate kernel: [SMURF ATTACK] IN=eth1 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:30:19:9a:a4:00:08:00 SRC=38.27.184.177
> DST=255.255.255.255 LEN=47 TOS=0x00 PREC=0x00 TTL=116 ID=4969 PROTO=ICMP
> TYPE=8 CODE=0 ID=0 SEQ=0
For ethernet (/usr/include/net/ethernet.h) it goes DST[6], SRC[6],
PROTO[2]. In this case the ethernet source is 00:30:19:9a:a4:00.
> I thought it would be something like 'the high/low 6 bytes' were the
> Ethernet address, but I did a test and my ethernet address
> (00:60:97:CF:CA:C7) maps to (MAC=45:00:00:54:00:00:40:00:01:01:a2:4d:d8:88)
> in the iptables logging. I don't see a pattern.
Hmmm, how did you test this? The one in the first report looks right
(IP packet to broadcast), but this second one looks like junk...
Hope that helps,
Rusty.
--
Hacking time.