Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signature to monitor for a MAC address

I have several IP addresses performing suspicous behaviour. I turned on IP logging for the specific signatures they were triggering. After analysis of the packets, it appears the same machine is causing the traffic... for all the Source IP's, the MAC addresses are the same... none are on the network at the same time. Suggestions on signature format to monitor for a MAC address?

I was thinking 2 - string.tcp string.udp

Define the mac in the regular expression... ethereal shows the mac with a : between them... but in the bottom pane, it shows the mac with a space/tab between them. How is the MAC passed on the wire? Any suggestions on or advice is appreciated.

CreatePlease login to create content