Brian Grayson wrote:
>   Is there a flag to tcpdump that says, print out the ethernet address
> of the sending machine, so that I could tell which of the 200 or so
> machines on the subnet was responsible?  Is there any good
> method/program for translating Ethernet addresses to IPs?  arp looks
> like it'll only do the reverse, and arp -a will only show current cached
> ARP entries, not all entries for the whole subnet.

Try :

       -e     Print the link-level header on each dump line.

and you'll get output like :

17:47:11.011413 8:0:20:9:6c:af 0:60:9:9c:6c:28 ip 85: orthanc.ncl.ac.uk.2644 > bowder.ncl.ac.uk.domain: 60814+ (43)
                         4500 0047 dbad 0000 4011 9f18 80f0 03fe
                         80f0 fa01 0a54 0035 0033 84dc ed8e 0100
                         0001 0000 0000 0000 0231 3501 3303 3234
                         3003 3132 3807

where '8:0:20:9:6c:af' is the source MAC address and '0:60:9:9c:6c:28' is the
destination.  It's converted IP addresses to names already - if it hadn't,
you could look at the relevent bytes (80f0 03fe == 128.240.3.254 ==
orthanc.ncl.ac.uk, 80f0 fa01 == 128.240.250.1 == bowder.ncl.ac.uk) to see
them.  If the source IP and/or MAC address is faked, then it's a bit more
difficult to determine the real sender.

J

PS.  How do you get tcpdump to show the length of packets?

-- 
    1024/55A5BC19        0F 3F 62 56 18 10 8B 84  43 8F F4 94 93 37 76 AA

S.E.P.