[TriLUG] IPTables appends 08:00 to MAC address field?
Jeff Bollinger
jeff01 at email.unc.edu
Mon Dec 15 11:04:52 EST 2003
Look at the log entry from IPTables below:
Dec 15 10:40:23 blackout kernel: ***SSH connection:IN=eth0 OUT=
MAC=00:0d:61:C5:76:b1:00:04:75:a0:d1:db:08:00 SRC=x.x.x.x DST=x.x.x.x
LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=15253 DF PROTO=TCP SPT=9453 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
The MAC address field seems to be divided into
source: 00:0d:61:C5:76:b1
dest: 00:04:75:a0:d1:db
and an 08:00 on the end (2048 in decimal). What do these extra two
bytes signify? I notice this on almost all hosts that are
filtering/logging with IPtables, but I couldn't concoct the appropriate
Google query to get the answer. :)
Thanks,
Jeff
More information about the TriLUG
mailing list