When using this command, the IP snort spits out is always the one given with
"-S", but in the /var/log/messages i can see a lookup for the real IP of the
machine which is doing the scan. So I don't really believe, that it's binding
another one. I tried to have a closer look in the headers with snort and
tcpdump, but I can't find even a hint of the real IP. I think the real is
searched via the MAC-address, but it isn't included in the TCP- and IP-headers,
or is it??? So, when sending over the LAN, is the packet wrapped within a header
that includes the MAC?
> Perhaps it binds another IP to the card if you use those 2 options. In linux
> (dunno about windows) it's very easy to have 1 ethernetcard listen to more
> than 1 ip address. If you use that option try to see if the box responds to
> the IP you gave by pinging it.
>
> (BTW it says YOUR IP so you're NOT supposed to supply anything else)
>
> >from nmap --help:
>
> * -S <your_IP>/-e <devicename> Specify source address or network inter
> face
>
> Since you need root access for that it might very well be possible it binds
> that IP to the interface you supplied
>
> Regards
