mac address

Answered Question
Jun 5th, 2008

Hello,

On router interface I receive IP packets with spoofed IP addresses. Is there a way, besides network sniffing, to see on the router source MAC address of that packet?

I have this problem too.
0 votes
Correct Answer by Kevin Dorrell about 8 years 6 months ago

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.

Kevin Dorrell

Luxembourg

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kevin Dorrell Thu, 06/05/2008 - 07:09

If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.

Kevin Dorrell

Luxembourg

Richard Burts Fri, 06/06/2008 - 09:20

antonio

Kevin is correct that if you have an access list on the interface that you can add log-input and the message in the logs will include the source MAC address. Be aware that this would be the MAC address of the device that forwarded the packet to you and not necessarily the MAC of the device that originated the packet.

HTH

Rick

Paolo Bevilacqua Fri, 06/06/2008 - 09:25

How do you make an ACL that logs MAC? What I get from mines is like:

Jun 6 19:23:44: %SEC-6-IPACCESSLOGP: list internet permitted tcp X.X.222.50(24622) -> X.X.43.26(23), 1 packet

Richard Burts Fri, 06/06/2008 - 09:30

Paolo

I am not clear whether your access list is configured with log (I think this is probably what you have) or with log-input. Here is an example of one of our access lists using log-input:

Jun 3 18:37:30 EDT: %SEC-6-IPACCESSLOGP: list 121 denied udp 192.168.128.158(137) (FastEthernet0/1 0090.27ae.c343) -> 192.168.128.159(137), 3 packets

HTH

Rick

Paolo Bevilacqua Fri, 06/06/2008 - 09:34

Yes, I was using "log". I didn't even knew of "log-input". Thanks for clarifying.

Options with partial naming overlap are a great source of confusion, but apparently cisco doesn't care :(

Richard Burts Fri, 06/06/2008 - 09:45

Paolo

Yes name overlap can generate quite a bit of confusion. The one that I sometimes see is:

no exec (which stops the exec process on a console or vty)

no exec-timout (which disables the inactivity timeout on a console or vty)

Every once is a while I run into someone who has a console or a vty that appears to be dead but turns out to have no exec configured.

HTH

Rick

Actions

This Discussion