Re: resolving Mac adress

From:
Date: 06/17/02 

Date: 16 Jun 2002 21:27:26 -0700

"D' Naab 136" <me@somewhere.com> wrote in message news:<Xns922FBC4AE431Eqklgjfkgds455132dgfh@195.238.3.180>...
> Hi,
>
>
> Does anyone knows how to get the Mac adress of a remote host by giving the
> IP adress?
>
>
> thx.

On Linux you can look at the arp cache. This is only applicable to
local
hosts. There is no arp resolution. The MAC address is only used for
local
(read same device, hub, switch, router, etc) communications.
$ arp -n
Address HWtype HWaddress Flags Mask
   Iface
10.78.109.2 ether 00:50:BA:5D:7B:AA C
   eth0
10.78.109.3 ether 00:E0:29:43:7E:AA C
   eth0
10.78.109.1 ether 00:E0:29:87:F1:AA C
   eth0

If you do see anything remote it will have the Router's MAC and not
the
MAC of the machine you are actually talking to.

[root@www init.d]# arp
Address HWtype HWaddress Flags Mask
   Iface
GW.SUNPERF.COM ether 00:20:6F:10:84:AA C
   eth1
DUAL200.SUNPERF.COM ether 00:50:BA:5D:8A:AA C
   eth0

GW is the border router.

If you are trying to determine where a packet is really coming from,
the MAC
is not the way. Spoofed packets can only be detected on the LAN they
originate
from. This can only be handled at the ISP level, in that they know the
valid
address range at each of their routers and set access lists to only
allow
packets destined to and from only those valid ranges. Of course this
has to happen as someone else's ISP, as well as yours.

You could possibly look for source route options in the TCP header. I
am not
sure whether any of the popular IDS's decode the options. Most of them
will
provide a full packet dump though and you can decode them yourself.
RFC791 should have the specification. You can set options in the Linux
kernel to drop source routed packets see the /proc file sytem
documentation
that comes with the kernel you are running. For Solaris you can set
networking
options with ndd. An ndd get \? (if my memory serves me, or you could
just
read the man page) will list all the available parameters.

Norm.

---------------------------------------------------------
For God makes the sun rise on bad and good alike; Gods
rain falls on the just and the unjust. (Matthew 5:44-45)
http://www.sunperf.com - Performance Monitoring Tools
http://www.justhacked.org - UNIX Security

Relevant Pages

  • Re: FPGA + Ethernet
    ... crc to send to the MAC address you found via arp. ... A PHY/MAC combination will only get packets (with appropriate ... Sending raw ethernet packets may be good enough for some applications. ...
    (comp.arch.fpga)
  • Re: Routing 127.0.0.1!? strange errors
    ... but I'm stumped as to how those packets could even leave ... win=0 ACK RST ... "show arp" and the go to then track the MAC address to the correct port on ...
    (comp.dcom.sys.cisco)
  • [UNIX] Bug in Linux 2.4 and IPTables MAC Match Module
    ... Bug in Linux 2.4 and IPTables MAC Match Module ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... perform NAT, mangle packets, and access custom extensions for packet ...
    (Securiteam)
  • Re: ARP requests
    ... Keep in mind that ARP packets are a normal part of the communication process ... Your IP layer will issue an ARP ... > packet, a DHCP Request, with just your hardware (MAC) address. ...
    (comp.security.firewalls)
  • Re: resolving Mac adress
    ... > Does anyone knows how to get the Mac adress of a remote host by giving the ... On Linux you can look at the arp cache. ... packets destined to and from only those valid ranges. ...
    (comp.security.unix)
Loading