[Snort-users] Nice result with Snort.

Jan Hugo Prins jhp at ...1226...
Mon Jan 29 16:05:54 EST 2001


On Monday 29 January 2001 21:27, you wrote:
> On Mon, 29 Jan 2001, Jan Hugo Prins wrote:
> > The guy that did this had masked his IP adres and the destination adres.
> > But what he didn't mask (and is probebly much more difficult to mask)
> > was his hardware adres
>
> hardware address isn't transmitted over the internet.
>
> you've identified mac address of your border router, nothing more.
>
> 01/27-06:08:52.384497 0:50:B:66:C0:0 -> 0:A0:C9:D9:0:87 type:0x800 len:0x3C
> 203.65.206.10:109 -> 213.51.157.97:109 TCP TTL:23 TOS:0x0 ID:39426 IpLen:20
>
> 00:50:0B -> Cisco Systems, Inc
> 00:A0:C9 -> Intel Corporation
>
> It's packet with source hardware address of the @home cisco border router,
> directed at your intel ethernet card.
>

The @home border router for my segment is 213.51.156.1 and has HW 
00:50:0B:66:C0:00. At least at my site. 

The HW I got from the packet is the HW of a system within my own segment and 
they can be obtained from packets where the IP adres is not masked. At least, 
that is what I know about it.

The IP Adres 213.51.157.97 is just an other user withing my segment of @home. 
I have a adres in the same segment.


> -Dan

Greetings,
Jan Hugo Prins




More information about the Snort-users mailing list