On Mar 11, 2008, at 3:01 PM, Ralph Shumaker wrote:
But why capture the MAC address? For what purpose?
Well, the MAC address, assuming it's not forged, is as close to a serial number as you're going to get in terms of identifying a computer over the network. Now, numerous ways exist to change your interface's MAC address programmatically (hell, I think ifconfig/ iwconfig will do this for you). Furthermore, someone truly bent upon nefarious purposes will likely (though not definitely!) be smart enough to use a fake MAC address while performing their dastardly deeds.
Most people are in too much of a hurry (or too stupid, or just plain wouldn't think of it), so it might be worth logging, somewhere, what MAC addresses are connected, possibly even to generate a flow log (which endpoints are connected to which) across the router. That way, if you ever are dragged into something, you can say, "here's everything that was connecting to anything on my network during the alleged times, and none of *my* hardware matches any of those identifiers." Not a get-out-of-jail-free card, but evidence is evidence, especially if it's in your favor.
That, and I'm just curious as to who would be using my networking.
And why "do a full nmap-scan of the host before allowing it online"? What would that do for you?
If someone is going to use my network, I want to at least make sure they're not riddled with listening services that might be indicative of a pwn3d machine. Plus, the OS identification might be handy, too.
Hmm... Maybe I need to get one of those Soekris systems with an a/b/g/ n radio and set this stuff up.
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
