10-20-2004 06:02 PM - edited 03-09-2019 09:10 AM
Have a particular MAC address that I would like to detect and log info on whenever it comes onto the network. I want to log it whenever it's there - not just if it's attacking.
I don't see any general signatures I can use, although there are some ARP attack signatures. Similarly, from the custom signatures, I don't see an engine I can use.
I would greatly appreciate any ideas.
Thanks,
10-28-2004 11:51 AM
I am not sure if there is any signhature to monitor Mac address. Try using IP log it will capture the Mac also.
10-29-2004 01:00 PM
I'd script it to kick off a tcpdump logger when it sees it on the network -- depending on the load on your sensor you could do something with a tcpdump stream like:
tcpdump -qe -i eth0
Which will log src and dst mac of the last hop int.
Output that to a file, poll it for your target MAC, kill the orig tcpdump session and kick off a tcpdump session:
tcpdump -qe -w target.dump -i eth0 ether host XX:XX:XX:XX:XX:XX
(where the X's are your target MAC)
Cisco isn't going to support that method but it will work, and you will get the entirety of all of the packet contents.
-WP!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide