[Snort-users] Mac Address

Graham, Robert (ISS Atlanta) rgraham at ...4133...
Mon Sep 16 19:13:14 EDT 2002

NBNS (NetBIOS Name Service) has a field for the remote MAC address.
However, while Windows fills in this field, SAMBA (Linux NetBIOS) leaves
it empty. Using Windows, you can remotely query this by doing a "NetBIOS
NodeStatus Query" using the "nbtstat.exe" command-line program. Example:
nbtstat -A

Also, if a remote target has SNMP enabled, you can often retrieve the
remote MAC address with suitable queries. More importantly, you can also
get the remote MAC address by querying a nearby machine's ARP cache.

-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:glratt at ...604...]
Sent: Friday, September 13, 2002 8:54 AM
To: snort-users at lists.sourceforge.net
Cc: focus-ids at ...35...
Subject: Re: [Snort-users] Mac Address

On Fri, 13 Sep 2002, jai wrote:

> Hi,
> Is it possible to get the MAC address for remote machine( which is
> in different network). ??

	In some circumstances:

	- if you have administrative control over the different network
	to which the remote machine is connected;

	- if the the remote machine is running a protocol that would
	include the MAC address in the packet data (I'm aware of
	protocols - IPSec, NBNS - that include the remote IP in some
	way, but none that include the MAC).

	Both circumstances are unlikely.

> J

				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at ...604...

More information about the Snort-users mailing list