[Snort-users] Mac Address
Graham, Robert (ISS Atlanta)
rgraham at ...4133...
Mon Sep 16 19:13:14 EDT 2002
NBNS (NetBIOS Name Service) has a field for the remote MAC address.
However, while Windows fills in this field, SAMBA (Linux NetBIOS) leaves
it empty. Using Windows, you can remotely query this by doing a "NetBIOS
NodeStatus Query" using the "nbtstat.exe" command-line program. Example:
nbtstat -A 192.0.2.111
Also, if a remote target has SNMP enabled, you can often retrieve the
remote MAC address with suitable queries. More importantly, you can also
get the remote MAC address by querying a nearby machine's ARP cache.
From: Glenn Forbes Fleming Larratt [mailto:glratt at ...604...]
Sent: Friday, September 13, 2002 8:54 AM
To: snort-users at lists.sourceforge.net
Cc: focus-ids at ...35...
Subject: Re: [Snort-users] Mac Address
On Fri, 13 Sep 2002, jai wrote:
> Is it possible to get the MAC address for remote machine( which is
> in different network). ??
In some circumstances:
- if you have administrative control over the different network
to which the remote machine is connected;
- if the the remote machine is running a protocol that would
include the MAC address in the packet data (I'm aware of
protocols - IPSec, NBNS - that include the remote IP in some
way, but none that include the MAC).
Both circumstances are unlikely.
Glenn Forbes Fleming Larratt
Rice University Network Management
glratt at ...604...
More information about the Snort-users