Nine InfoSec Courses at SANS Chicago 2017. Save $200 thru July 19.

IDFAQ: Can I use the MAC address of an Ethernet packet to trace an attacker?

If the attack originated from a system that has a direct connection to your system with no gateway in between, then you can use the MAC address. But, if a gateway is in the path, then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only. If the gateway has extensive logging enabled, you might consider searching the log file for more information.

Dirk Lehmann
Siemens CERT
Books on or related to Intrusion Detection and Prevention
 
I've been watching my network logs and I see a lot of mapping attempts. They aren't doing any real harm, so should I really be concerned about them?
IDFAQ: Can I use the MAC address of an Ethernet packet to trace an attacker?
Network Security 2017 - Las Vegas
Latest Whitepapers

Securing Industrial Control Systems-2017
By Bengt Gregory-Brown

Using Docker to Create Multi-Container Environments for Research and Sharing Lateral Movement
By Shaun McCullough

Loki-Bot: Information Stealer, Keylogger, & More!
By Rob Pantazopoulos

Last 25 Papers »

Latest Tweets @SANSInstitute

Understand attackers' tactics & strategies in detail wit [...]
July 13, 2017 - 4:50 PM

Newly discovered #cyberattack vectors, vulnerabilities with [...]
July 13, 2017 - 4:45 PM

Limited Time MacBook Air Special Offer | Training on Your Te [...]
July 13, 2017 - 4:02 PM

Contact Us

301-654-SANS(7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health and Security

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd