06-05-2008 07:05 AM - edited 03-03-2019 10:14 PM
Hello,
On router interface I receive IP packets with spoofed IP addresses. Is there a way, besides network sniffing, to see on the router source MAC address of that packet?
Solved! Go to Solution.
06-05-2008 07:09 AM
If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.
Kevin Dorrell
Luxembourg
06-05-2008 07:09 AM
If you are capturing these spoofed IP addresses with an access-list, then there is a way. Add the keyword log-input at the end of the line.
Kevin Dorrell
Luxembourg
06-06-2008 09:12 AM
No, source mac for each is not available to see with regular commands.
06-06-2008 09:20 AM
antonio
Kevin is correct that if you have an access list on the interface that you can add log-input and the message in the logs will include the source MAC address. Be aware that this would be the MAC address of the device that forwarded the packet to you and not necessarily the MAC of the device that originated the packet.
HTH
Rick
06-06-2008 09:25 AM
How do you make an ACL that logs MAC? What I get from mines is like:
Jun 6 19:23:44: %SEC-6-IPACCESSLOGP: list internet permitted tcp X.X.222.50(24622) -> X.X.43.26(23), 1 packet
06-06-2008 09:30 AM
Paolo
I am not clear whether your access list is configured with log (I think this is probably what you have) or with log-input. Here is an example of one of our access lists using log-input:
Jun 3 18:37:30 EDT: %SEC-6-IPACCESSLOGP: list 121 denied udp 192.168.128.158(137) (FastEthernet0/1 0090.27ae.c343) -> 192.168.128.159(137), 3 packets
HTH
Rick
06-06-2008 09:34 AM
Yes, I was using "log". I didn't even knew of "log-input". Thanks for clarifying.
Options with partial naming overlap are a great source of confusion, but apparently cisco doesn't care :(
06-06-2008 09:45 AM
Paolo
Yes name overlap can generate quite a bit of confusion. The one that I sometimes see is:
no exec (which stops the exec process on a console or vty)
no exec-timout (which disables the inactivity timeout on a console or vty)
Every once is a while I run into someone who has a console or a vty that appears to be dead but turns out to have no exec configured.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: