|
|
How can I scan my networks MAC addresses?
|
|
|
|
Forum Regular
Join Date: Mar 2004
Status:
Offline
|
|
The webhost I use for my personal email (different company from my work site/email) has automatically put me on their blocklist because something from my network is hitting their server about 80-100x per minute. They can only pull the IP (which is the dedicated IP I have through AT&T) and the MAC address out of their log file.
So I have the MAC address that keeps hitting the webhost, but none of my machines NICs match that MAC address - so where else can I look? Or is there a utility I can use to scan all the MAC addresses on my network?
Here's a quick breadown of my setup:
AT&T dedicated IP -> AT&T provided 2Wire DSL modem -> Apple Time Capsule -> gigabit switch
On the switch I have the following devices:
1. G5 tower #1 (my desktop work machine)
2. G5 tower #2 (server in the closet, just a file server for local files, connected to a couple multidrive SATA boxes)
3. Dish Network HD DVR
Over wireless (via the Time Capsule) I have:
1. Macbook
2. Macbook Pro
3. iPhone
Now none of the wireless clients are constantly on, yet apparently the "hits" on the hosts servers are.... so I'm thinking that rules out the laptops and iPhone (because it leaves the house with me a lot for work).
Anybody have any ideas or suggestions? I appreciate your help... Thanks everyone!
|
A couple MacPro's, a MacBook Pro, a PC, and an iPod.
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2005
Status:
Offline
|
|
Simply put, the MAC address is not something that will leave your internal network. Only your ISP-assigned IP address will be visible to the receiving end. I don't know what MAC address they're putting in their log files, but it's not anything of yours.
Does the IP they have match what you get when you go to something like whatismyip.com? If it is, then you probably have some kind of spam script running on one of your G5 towers, or someone is using your WiFi network. Disable the WiFi for a day or so and ask the admins on the other side if the spamming stopped. If it hasn't, then your towers are probably the culprits -- or the admins at your webhost are simply clueless and your network isn't actually at fault.
|
|
|
|
|
|
|
|
|
Moderator Emeritus
Join Date: Apr 2005
Location: Cambridge, UK
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
IP could be spoofed.
Could be another client on your wireless network you don't know about.
The MAC they see could be the WAN side of your router.
It could be your mail client malfunctioning.
Run arp -a in terminal to see if your computer has had contact with that MAC.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2005
Status:
Offline
|
|
Originally Posted by mduell
IP could be spoofed.
Nope. Packets would make it back to the spoofed IP, which wasn't expecting them, and thus would discard them. The real attacker would never be able to finish the SMTP conversation.
Originally Posted by mduell
The MAC they see could be the WAN side of your router.
Also wrong. Network devices only see/know the MAC addresses of devices on the same subnet. The 'from' MAC address field in every Ethernet frame making hops around the Internet gets replaced with that of the device of the last hop.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
Originally Posted by Tomchu
Nope. Packets would make it back to the spoofed IP, which wasn't expecting them, and thus would discard them. The real attacker would never be able to finish the SMTP conversation.
The "attack" the OP described sounded like a SYN flood, not a complete SMTP conversation.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2006
Status:
Offline
|
|
"I don't know what MAC address they're putting in their log files, but it's not anything of yours."
The only MAC address they'll see is from whatever the last hop router/switch their server is connected to. In other words, pretty much useless for any form of diagnosis. Most likely, something somewhere is sending out traffic with your IP address being faked / "spoofed". Nothing you can do about this. More worrisome is that your host thinks the MAC address is in some form or fashion important in this situation. I'd highly suggest finding another host who are a little more competent.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2006
Status:
Offline
|
|
BTW, to find out what MAC addresses are in use on your network, just run TCPdump and ping the broadcast address of your network.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|