Data Center Risk - Tell us how you manage it and enter to win iPad

Intrusion Detection FAQ: Can I use the MAC address of an Ethernet packet to trace an attacker?

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >

If the attack originated from a system that has a direct connection to your system with no gateway in between, then you can use the MAC address. But, if a gateway is in the path, then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only. If the gateway has extensive logging enabled, you might consider searching the log file for more information.

Dirk Lehmann
Siemens CERT

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >