Subject: Re: help w/ tcpdump/arp
To: Brian Grayson <firstname.lastname@example.org>
From: Julian Coleman <J.D.Coleman@newcastle.ac.uk>
Date: 09/07/1998 17:54:18
Brian Grayson wrote:
> Is there a flag to tcpdump that says, print out the ethernet address
> of the sending machine, so that I could tell which of the 200 or so
> machines on the subnet was responsible? Is there any good
> method/program for translating Ethernet addresses to IPs? arp looks
> like it'll only do the reverse, and arp -a will only show current cached
> ARP entries, not all entries for the whole subnet.
-e Print the link-level header on each dump line.
and you'll get output like :
17:47:11.011413 8:0:20:9:6c:af 0:60:9:9c:6c:28 ip 85: orthanc.ncl.ac.uk.2644 > bowder.ncl.ac.uk.domain: 60814+ (43)
4500 0047 dbad 0000 4011 9f18 80f0 03fe
80f0 fa01 0a54 0035 0033 84dc ed8e 0100
0001 0000 0000 0000 0231 3501 3303 3234
3003 3132 3807
where '8:0:20:9:6c:af' is the source MAC address and '0:60:9:9c:6c:28' is the
destination. It's converted IP addresses to names already - if it hadn't,
you could look at the relevent bytes (80f0 03fe == 18.104.22.168 ==
orthanc.ncl.ac.uk, 80f0 fa01 == 22.214.171.124 == bowder.ncl.ac.uk) to see
them. If the source IP and/or MAC address is faked, then it's a bit more
difficult to determine the real sender.
PS. How do you get tcpdump to show the length of packets?
1024/55A5BC19 0F 3F 62 56 18 10 8B 84 43 8F F4 94 93 37 76 AA