Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Obtaining MAC Address

Status
Not open for further replies.
williamu

williamu

Programmer
Apr 8, 2002
494
GB
Hi,

Being a responsible guy I check my logs frequently. In the case of my apache access log I have various entries from errant IIS servers trying to spread the NIMDA worm.

Since I know where these are originating from I intend to notify the ISP. However, this ISP would like the MAC Address of the offending machines. Is there an easy way I can get this? I know it can be done but I'm not to sure how.

I'd like to run this in a script.

Thanks.


William
Software Engineer
ICQ No. 56047340
 
Sort by date Sort by votes
Have you tried arp -a ?

Hope This Help
PH.
 
Upvote 0 Downvote
Hi,

I have but I get no results back, since all that's in the table are the MACs of the two NICs in the machine.



William
Software Engineer
ICQ No. 56047340
 
Upvote 0 Downvote
If you know the IP address then ping them before the arp

Hope This Help
PH.
 
Upvote 0 Downvote
William..
Unles those machines are on the same network you are on you will only get the last hop mac from an arp query aginst the address. It sounds like the isp is pulling your chain a
little or are confused.
An ip address is all they need.
 
Upvote 0 Downvote
Hi Marsd,

Well I have to admit I was begining to think I was barking up the wrong tree here.

But if the ARP query won't work then I'll just have to try something else. I know they don't NEED the MAC address it just makes their life eaier if the have it.

It must be do able since BlackICE can log a MAC Address so I guess Unix must be able to as well. But getting it's the trick.



William
Software Engineer
ICQ No. 56047340
 
Upvote 0 Downvote
William..
Are you familiar with the difference between a routed
protocol and a non-routable protocol?
Arp is non-routable, it only has identification validity
to network attached hosts.
When you query a non-contiguous address with arp you
receive the mac address of the last hop router(if anything) NOT the origin host.

BlackIce is not magic and cannot discern the mac address of a remote host. It probably displays the last hop routers mac.
 
Upvote 0 Downvote
You will not be able to determine the MAC address of the remote host if there is any form of networking device (router, switch, bridge, gateway_ between it and yourself.

Addressing on the wire is done at the MAC level and the source and destination MAC addresses for a given packet on any given LAN segment will be the MAC addresses for the two interfaces concerned on that segment of the LAN, hence the MAC addresses for packets on the segment your host sits on will be the addresses for your system and the interface on the network device that got the packet into your segment.

The only time the MAC addresses reflect the two end-point hosts will be when both are on the same segment of a LAN.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rigstars2
  • Locked
  • Question
comparing 2 arrays for invalid mac addresses only 3
Replies
4
Views
187
feherke
feherke
rigstars2
  • Locked
  • Question
netstat foreign address code help? 1
Replies
1
Views
146
Beilstwh
Beilstwh
tulsantide
  • Locked
  • Question
setenv not found error in cshrc on a solaris 11 machine
Replies
0
Views
234
tulsantide
tulsantide
ogniemi
  • Locked
  • Question
convert MAC addresses... 1
Replies
2
Views
35
p5wizard
p5wizard
rizacer
  • Locked
  • Question
SED to format MAC address
Replies
5
Views
90
rizacer
rizacer

Part and Inventory Search

Sponsor

Back
Top