The Seven Most Dangerous New Attack Techniques: Summary of the RSA 2017 keynote session featuring top SANS experts
4 Days Left to Save $400 on Threat Hunting and IR Summit

IDFAQ: Can I use the MAC address of an Ethernet packet to trace an attacker?

If the attack originated from a system that has a direct connection to your system with no gateway in between, then you can use the MAC address. But, if a gateway is in the path, then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only. If the gateway has extensive logging enabled, you might consider searching the log file for more information.

Dirk Lehmann
Siemens CERT