[Snort-users] Nice result with Snort.

Jan Hugo Prins jhp at ...1226...
Mon Jan 29 16:05:54 EST 2001

On Monday 29 January 2001 21:27, you wrote:
> On Mon, 29 Jan 2001, Jan Hugo Prins wrote:
> > The guy that did this had masked his IP adres and the destination adres.
> > But what he didn't mask (and is probebly much more difficult to mask)
> > was his hardware adres
> hardware address isn't transmitted over the internet.
> you've identified mac address of your border router, nothing more.
> 01/27-06:08:52.384497 0:50:B:66:C0:0 -> 0:A0:C9:D9:0:87 type:0x800 len:0x3C
> -> TCP TTL:23 TOS:0x0 ID:39426 IpLen:20
> 00:50:0B -> Cisco Systems, Inc
> 00:A0:C9 -> Intel Corporation
> It's packet with source hardware address of the @home cisco border router,
> directed at your intel ethernet card.

The @home border router for my segment is and has HW 
00:50:0B:66:C0:00. At least at my site. 

The HW I got from the packet is the HW of a system within my own segment and 
they can be obtained from packets where the IP adres is not masked. At least, 
that is what I know about it.

The IP Adres is just an other user withing my segment of @home. 
I have a adres in the same segment.

> -Dan

Jan Hugo Prins

More information about the Snort-users mailing list