[sllug-members]: mac address

[Shaun Kruger]

On 7/14/06, brian Beck <brian at planetbeck.com> wrote:
> on a discussion on another board, the subject of a isp knowing the mac
> address of computers behind a firewall came up, It was my understanding that
> the ISP can find out the mac address of computers behind a firewall/router,
> is it possible or am I misunderstanding the tcp/ip protocols?

You can't find out the mac of a computer that is on the other side of
a router.  When you have a gateway doing NAT the internal addresses
(192.168.x.x) are not visible from the outside world.  The mac address
is just the physical hardware address that becomes associated with a
particular ip address.  You can see this mapping by doing arp -a in
windows or cat /proc/net/arp in linux.  Ethernet frames know nothing
of IP addressing.  When you send data over ethernet II it has a 6 byte
destination mac, a 6 byte source mac (I forget order), and a 2 byte
protocol type identifier (original ethernet used this 2 bytes as a
packet length identifier).  The destination mac lets a machine know it
is supposed to receive or ignore the frame.  It then checks to see if
it has a handler for the protocol type ID.

If you wanted to find out what machine on an internal network accessed
a certian site a gateway would have to remember all the external
addresses that were connected to and what internal addresses requested
each connection.  It would also have to log the mac address of the
internal address for each connection (DHCP can assign the same address
to a new machine with a different mac).

It's not impossible, it's just that no one is doing it.

Shaun

> I.E. a person uses a wireless card to access your wireless lan to lookup
> porn can the isp tell which computer did the lookup/protection from
> prosecution



-- 
Visit my blog at http://hackerlog.blogspot.com
=====================================================
If more of us valued food and cheer and song above hoarded gold, it would
be a merrier world.
                -- J.R.R. Tolkien