|
-
April 27th, 2004, 01:17 PM
#11
Are you sure...
I managed to use a source MAC address to verify my mobile phone IMAP connection here:
http://www.antionline.com/showthread...ess#post709868
Doesn't it depend on what's being reported, or should I be rethinking my mobile phone IMAP connection and iptables?
Worried,
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
April 27th, 2004, 02:05 PM
#12
Steve:
It took me a while to find it and yes, this is talking about IPX routing and Broadcasts but that is on a different layer in the packet
3. When the router receives the packet it builds a packet frame around it, and INSERTS the ROUTERS ethernet address as the MAC source address and leaves the MAC destination node address as FF's (broadcast datagram). The Transport control field in the IPX header is again incremented.
MAC Frame Changes: Ethernet Address: 00006E46A7F4 [Router's ethernet address]
Source
It was actually someone here on AO that originally pointed this out to me ages ago. The 802.3 MAC frame is where the change takes place in routed packets.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
April 27th, 2004, 03:36 PM
#13
Tiger, I'm more confused..
You seen to be talking about IPX not TCP/IP as is the source article you quote.
I've tested my setup again and sniffed using ettercap after removing the iptables entry for a short while.
My phone service provider always shows a single IP for all GPRS connections (tested with my phone & a mates phone using the same phone service provider) but ettercap reports differing MAC addresses. Now since this is from the same service provider, using the same cell I can only assume that the routers the packets pass through (at least the last few of them) must be the same, so I am assuming this must be the MAC address of the phone.
The MAC address stays the same regardless of location of the phone within the UK.
The bottom line is my mate can't use me as an open relay, from the same phone service provider yet I can send email.
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
April 27th, 2004, 05:24 PM
#14
Steve: You are right.... I was in far too much of a hurry to be replying and wasn't really thinking about what the hell I was quoting/typing. I was right though when I typed it because I had already run a little experiment here. Now I have time to show the results.... 
I have 2 routers on this subnet that sent traffic for my remote subnets in the appropriate directions.
Router 1: 00:e0:1e:42:a1:61
Router2: 00:50:73:44:0f:50
I have a subnets 192.168.101.0/24 and 192.168.103.0/24 routed through Router 1. 192.168.100.0/24 and routed through Router 1.
The router MAC's were determined by pinging them while Ethereal was running. The Ethereal dump shows the MAC address in Ethernet 2 part of the packet in the format "Source: 00:e0:1e:42:a1:61 (Cisco_44:0f:50)" for Router 1 and similar for Router 2.
I then ran a capture for any traffic coming from the 192.168.100.0/24 network. Looking at TCP/POP/DNS, (UDP), and HTTP packets the MAC address listed as source always has the "Source: 00:50:73:44:0f:50 (Cisco_44:0f:50)", (Router 2), in it regardless of the actual IP Address that initiated the packet on the remote subnet.
The same occurs with the other two subnets but the source then points to ""Source: 00:e0:1e:42:a1:61 (Cisco_44:0f:50), (Router 1).
In short, everything I see on this network from the remote networks has the local router's ethernet MAC as the source MAC in the Ethernet II part of the packets and Ethereal doesn't give any other MAC address other than the destionation, (in the same part of the Packet). IOW, this being a Cisco "shop", all my remote devices are reported as Cisco's - which they aren't.
I don't know what is happening on your phone but this is what is happening on my network and it gels with what I had pointed out to me in the past and even with the way the IPX packets are routed, (Aren't IPX packets only routed by encapsulation in TCP? Anyone?)..... The router places it's own MAC Address as the source....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
April 27th, 2004, 07:22 PM
#15
You are spot on - I need to rethink my phone - mail security & to look at my experiments as well since they seemed to work!
I've just used ping to check this out.
The MAC address I've set up in iptables is for the router!
I'd give you more greens but I can't ATM!
Steve
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote