Logging source mac address

Logging source mac address

[Marco Reale]

Hi

I installed Fedora core 2 and configured iptables with Guarddog and all
works correctly (I know to configure iptables manually is better but I need
to study it before manually write a configuration file).
My problem is that I need to know if is possible or not always logging
source mac address. With guarddog I tried all log levels ("debug", "alert",
"critical") but the problem is that mac address is not always registered.
Is there a way to log in all conditions (not only with drop or reject) the
source mac address???

Thanks a lot
Marco
Italy

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.771 / Virus Database: 518 - Release Date: 28/09/2004
 

Logging source mac address

[mlist]

Hi

I installed Fedora core 2 and configured iptables with Guarddog and all
works correctly (I know to configure iptables manually is better but I need
to study it before manually write a configuration file).
My problem is that I need to know if is possible or not always logging
source mac address. With guarddog I tried all log levels ("debug", "alert",
"critical") but the problem is that mac address is not always registered.
Is there a way to log in all conditions (not only with drop or reject) the
source mac address???

Thanks a lot
Marco
Italy

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.771 / Virus Database: 518 - Release Date: 28/09/2004
 

Re: Logging source mac address

[Alistair Tonner]

On October 2, 2004 05:24 pm, mlist@libero.it wrote:
> Hi
>
> I installed Fedora core 2 and configured iptables with Guarddog and all
> works correctly (I know to configure iptables manually is better but I need
> to study it before manually write a configuration file).
> My problem is that I need to know if is possible or not always logging
> source mac address. With guarddog I tried all log levels ("debug", "alert",
> "critical") but the problem is that mac address is not always registered.
> Is there a way to log in all conditions (not only with drop or reject) the
> source mac address???
>
	You do realize that you can only see the MAC address if you happen to be 
connected to the same network segment -- okay make that physical connection 
-- as the other end of the connection?  (there are instances of bridged 
networks where you won't see mac from other end even on the same segment)

	You will NOT be able to see the MAC address of the other end of a connection 
if it has been routed.   Although you might see a MAC address in say 
ethereal, it will be the MAC address of the other end of that physical hop -- 
i.e. the next router in the link.

	( I think I said that straight --- but I'm kinda sleepy)

	Alistair Tonner

> Thanks a lot
> Marco
> Italy
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.771 / Virus Database: 518 - Release Date: 28/09/2004

Re: Logging source mac address

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 404 bytes --]

On Fri, 2004-10-01 at 23:45, Marco Reale wrote:
> Hi
> Is there a way to log in all conditions (not only with drop or reject) the
> source mac address???

To log source address you need to able to know it. This is not the case
if you are not directly connected to computer that drop via ethernet.
Thus this is the case for almost all internet IPs....

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Logging source mac address

[Aleksandar Milivojevic]

Eric Leblond wrote:
> To log source address you need to able to know it. This is not the case
> if you are not directly connected to computer that drop via ethernet.
> Thus this is the case for almost all internet IPs....

Logging the MAC address of the router can also be usefull.  For example, 
if there are two routers on the network (each connected to different 
ISP), it would show from which router packets are arriving (usefull for 
debugging).  It could also show if a station on the local network is 
trying to inject packets into an existing connection (OK, this is really 
a task for IDS tool, but anyhow).

With that in mind, I'd say that logging MAC address for all packtes has 
a value (as long as user is aware of couple of basic principles of 
networking).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7