Some beginner questions about spoofing

1) For most people, their connection is to a defined IP range owned by
a single ISP provider, who probably gives its users the modem to use,
and thus, these modems are all probably of a certain make, and all have
the same first 3 hexadecimal numbers. Thus, since all users in that IP
range would share identical hex values in the first 3 digits of their
MAC address, if you randomized your entire MAC address, you would stand
out as the user with a different beginning MAC address than the rest.
It would be better, for the sake of anonimity, to keep the original
first 3 numbers and randomize only the last 3. Am I correct?

2) Using a sniffer, I can see that random packages sent to my IP
address by all those bots and whatever that are out there, already know
my MAC address without any communication from my part. This happens
even when I start my internet connection and I have been online for
only half a second, the first random bit of internet noise that hits me
already knows my MAC address despite my not communicating with anyone
besides my ISP to establish the connection. How does this work? Is my
modem changing the MAC on incoming packets? Or my ISP?

3) If I open my ISP monitoring window it shows me sent/received bytes
to the internet. By carefully following this flow with the sniffer, I
realized that there is a discrepancy, and that almost every packet
sent/received, according to the sniffer, is 20 bytes longer than
according to the ISP window. Any reason why (and which) 20 bytes would
be underreported from every packet (almost every packet)? The ECHO
packet behaves differently: my ISP window shows a flow of about 20
bytes per packet, while the sniffer program reports 50 to 60 bytes
(don't remember the exact number).

4) Is there a website that will show you a print out of the packet you
send it, the same way there are web sites that show you the details of
your web request (such as IP address, what IE you're using, etc.)?



retyop@techemail.com

On 12 Oct 2006 13:41:17 -0700, (E-Mail Removed) wrote in
<(E-Mail Removed) .com>:

>1) For most people, their connection is to a defined IP range owned by
>a single ISP provider, who probably gives its users the modem to use,
>and thus, these modems are all probably of a certain make, and all have
>the same first 3 hexadecimal numbers.

Most non-trivial providers wind up supplying different hardware, sooner
or later, so there's usually a mix of products in the field. In
addition, some users may buy their hardware from a third-party source.

>Thus, since all users in that IP
>range would share identical hex values in the first 3 digits of their
>MAC address, if you randomized your entire MAC address, you would stand
>out as the user with a different beginning MAC address than the rest.
>It would be better, for the sake of anonimity, to keep the original
>first 3 numbers and randomize only the last 3. Am I correct?

Why would you want to change your MAC address? You're identifiable by
your IP address.

>2) Using a sniffer, I can see that random packages sent to my IP
>address by all those bots and whatever that are out there, already know
>my MAC address without any communication from my part. This happens
>even when I start my internet connection and I have been online for
>only half a second, the first random bit of internet noise that hits me
>already knows my MAC address despite my not communicating with anyone
>besides my ISP to establish the connection. How does this work? Is my
>modem changing the MAC on incoming packets? Or my ISP?

Those things out there just use your IP address. Your MAC address comes
from ARP. (Look it up in Wikipedia.)

>3) If I open my ISP monitoring window it shows me sent/received bytes
>to the internet. By carefully following this flow with the sniffer, I
>realized that there is a discrepancy, and that almost every packet
>sent/received, according to the sniffer, is 20 bytes longer than
>according to the ISP window. Any reason why (and which) 20 bytes would
>be underreported from every packet (almost every packet)? The ECHO
>packet behaves differently: my ISP window shows a flow of about 20
>bytes per packet, while the sniffer program reports 50 to 60 bytes
>(don't remember the exact number).

Read up on Ethernet. (Wikipedia again, as a starting place.)

>4) Is there a website that will show you a print out of the packet you
>send it, the same way there are web sites that show you the details of
>your web request (such as IP address, what IE you're using, etc.)?

You wouldn't learn anything more than by sniffing yourself.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

"John Navas" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 12 Oct 2006 13:41:17 -0700, (E-Mail Removed) wrote in
> <(E-Mail Removed) .com>:
> >Thus, since all users in that IP
> >range would share identical hex values in the first 3 digits of their
> >MAC address, if you randomized your entire MAC address, you would stand
> >out as the user with a different beginning MAC address than the rest.
> >It would be better, for the sake of anonimity, to keep the original
> >first 3 numbers and randomize only the last 3. Am I correct?
>
> Why would you want to change your MAC address? You're identifiable by
> your IP address.

IP addresses are logical addresses, a host can change his IP address.
Where a MAC address is a burned in address for a paticular NIC. This address
cannot be changed, hence it represents one unique host. Of course you can
change out nics, but that is not usually done.
>
> >2) Using a sniffer, I can see that random packages sent to my IP
> >address by all those bots and whatever that are out there, already know
> >my MAC address without any communication from my part. This happens
> >even when I start my internet connection and I have been online for
> >only half a second, the first random bit of internet noise that hits me
> >already knows my MAC address despite my not communicating with anyone
> >besides my ISP to establish the connection. How does this work? Is my
> >modem changing the MAC on incoming packets? Or my ISP?
>
> Those things out there just use your IP address. Your MAC address comes
> from ARP. (Look it up in Wikipedia.)

Your MAC address does not come from ARP, your MAC address is burned into
your NIC by the manufacture. The first part af the MAC addressed is
controlled by a global body that gives addresses to the manufactures, the
second part of the MAC address is controlled by the manufacture to identify
the host.
ARP is a way to resolve addresses, ARP does not give out addresses.

On Thu, 12 Oct 2006 13:52:14 -0800, "Dana" <(E-Mail Removed)> wrote in
<(E-Mail Removed)>:

>"John Navas" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .

>> Why would you want to change your MAC address? You're identifiable by
>> your IP address.
>
>IP addresses are logical addresses, a host can change his IP address.
>Where a MAC address is a burned in address for a paticular NIC. This address
>cannot be changed, hence it represents one unique host. Of course you can
>change out nics, but that is not usually done.

The remote bad guy can't see your MAC address (only the local network
sees it), so this is irrelevant.

>> Those things out there just use your IP address. Your MAC address comes
>> from ARP. (Look it up in Wikipedia.)
>
>Your MAC address does not come from ARP, your MAC address is burned into
>your NIC by the manufacture. The first part af the MAC addressed is
>controlled by a global body that gives addresses to the manufactures, the
>second part of the MAC address is controlled by the manufacture to identify
>the host.
>ARP is a way to resolve addresses, ARP does not give out addresses.

Are you trying to be argumentative? ARP is how the local network finds
your MAC address from your IP address.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

"John Navas" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Thu, 12 Oct 2006 13:52:14 -0800, "Dana" <(E-Mail Removed)> wrote in
> <(E-Mail Removed)>:
>
> >"John Navas" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed).. .
>
> >> Why would you want to change your MAC address? You're identifiable by
> >> your IP address.
> >
> >IP addresses are logical addresses, a host can change his IP address.
> >Where a MAC address is a burned in address for a paticular NIC. This
address
> >cannot be changed, hence it represents one unique host. Of course you can
> >change out nics, but that is not usually done.
>
> The remote bad guy can't see your MAC address (only the local network
> sees it), so this is irrelevant.
>
> >> Those things out there just use your IP address. Your MAC address
comes
> >> from ARP. (Look it up in Wikipedia.)
> >
> >Your MAC address does not come from ARP, your MAC address is burned into
> >your NIC by the manufacture. The first part af the MAC addressed is
> >controlled by a global body that gives addresses to the manufactures, the
> >second part of the MAC address is controlled by the manufacture to
identify
> >the host.
> >ARP is a way to resolve addresses, ARP does not give out addresses.
>
> Are you trying to be argumentative? ARP is how the local network finds
> your MAC address from your IP address.

That is said better than your MAC address comes from ARP.
>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

What does this have to do with Virtual PC for Macintosh?

--
Barry Margolin, (E-Mail Removed)
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

"Dana" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)
> "John Navas" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > On 12 Oct 2006 13:41:17 -0700, (E-Mail Removed) wrote in
> > <(E-Mail Removed) .com>:
> > > Thus, since all users in that IP
> > > range would share identical hex values in the first 3
> > > digits of
> > > their MAC address, if you randomized your entire MAC
> > > address,
> > > you would stand out as the user with a different beginning
> > > MAC
> > > address than the rest. It would be better, for the sake of
> > > anonimity, to keep the original first 3 numbers and
> > > randomize
> > > only the last 3. Am I correct?
> >
> > Why would you want to change your MAC address? You're
> > identifiable by your IP address.
>
> IP addresses are logical addresses, a host can change his IP
> address.
> Where a MAC address is a burned in address for a paticular NIC.
> This address cannot be changed, hence it represents one unique
> host. Of course you can change out nics, but that is not
> usually
> done.

My router will "clone" a MAC address.

> >
> > > 2) Using a sniffer, I can see that random packages sent to
> > > my IP
> > > address by all those bots and whatever that are out there,
> > > already know my MAC address without any communication from
> > > my
> > > part. This happens even when I start my internet connection
> > > and
> > > I have been online for only half a second, the first random
> > > bit
> > > of internet noise that hits me already knows my MAC address
> > > despite my not communicating with anyone besides my ISP to
> > > establish the connection. How does this work? Is my modem
> > > changing the MAC on incoming packets? Or my ISP?
> >
> > Those things out there just use your IP address. Your MAC
> > address comes from ARP. (Look it up in Wikipedia.)
>
> Your MAC address does not come from ARP, your MAC address is
> burned
> into your NIC by the manufacture. The first part af the MAC
> addressed is controlled by a global body that gives addresses
> to
> the manufactures, the second part of the MAC address is
> controlled
> by the manufacture to identify the host.
> ARP is a way to resolve addresses, ARP does not give out
> addresses.

--


Travis in Shoreline Washington

Please remove the microsoft.public.mac.virtualpc newsgroup from
replies to this thread. It is NOT related to MAC addresses, but Apple
Mac software.


On Fri, 13 Oct 2006 07:35:33 GMT, "Travis M."
<(E-Mail Removed)> wrote:

>"Dana" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)
>> "John Navas" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > On 12 Oct 2006 13:41:17 -0700, (E-Mail Removed) wrote in
>> > <(E-Mail Removed) .com>:
>> > > Thus, since all users in that IP
>> > > range would share identical hex values in the first 3
>> > > digits of
>> > > their MAC address, if you randomized your entire MAC
>> > > address,
>> > > you would stand out as the user with a different beginning
>> > > MAC
>> > > address than the rest. It would be better, for the sake of
>> > > anonimity, to keep the original first 3 numbers and
>> > > randomize
>> > > only the last 3. Am I correct?
>> >
>> > Why would you want to change your MAC address? You're
>> > identifiable by your IP address.
>>
>> IP addresses are logical addresses, a host can change his IP
>> address.
>> Where a MAC address is a burned in address for a paticular NIC.
>> This address cannot be changed, hence it represents one unique
>> host. Of course you can change out nics, but that is not
>> usually
>> done.
>
>My router will "clone" a MAC address.
>
>> >
>> > > 2) Using a sniffer, I can see that random packages sent to
>> > > my IP
>> > > address by all those bots and whatever that are out there,
>> > > already know my MAC address without any communication from
>> > > my
>> > > part. This happens even when I start my internet connection
>> > > and
>> > > I have been online for only half a second, the first random
>> > > bit
>> > > of internet noise that hits me already knows my MAC address
>> > > despite my not communicating with anyone besides my ISP to
>> > > establish the connection. How does this work? Is my modem
>> > > changing the MAC on incoming packets? Or my ISP?
>> >
>> > Those things out there just use your IP address. Your MAC
>> > address comes from ARP. (Look it up in Wikipedia.)
>>
>> Your MAC address does not come from ARP, your MAC address is
>> burned
>> into your NIC by the manufacture. The first part af the MAC
>> addressed is controlled by a global body that gives addresses
>> to
>> the manufactures, the second part of the MAC address is
>> controlled
>> by the manufacture to identify the host.
>> ARP is a way to resolve addresses, ARP does not give out
>> addresses.

--
Cheers,
Steve Jain, Virtual Machine MVP
http://vpc.essjae.com/
I do not work for Microsoft.

In article <(E-Mail Removed)>,
"Dana" <(E-Mail Removed)> wrote:

> "John Navas" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > On 12 Oct 2006 13:41:17 -0700, (E-Mail Removed) wrote in
> > <(E-Mail Removed) .com>:
> > >Thus, since all users in that IP
> > >range would share identical hex values in the first 3 digits of their
> > >MAC address, if you randomized your entire MAC address, you would stand
> > >out as the user with a different beginning MAC address than the rest.
> > >It would be better, for the sake of anonimity, to keep the original
> > >first 3 numbers and randomize only the last 3. Am I correct?
> >
> > Why would you want to change your MAC address? You're identifiable by
> > your IP address.
>
> IP addresses are logical addresses, a host can change his IP address.
> Where a MAC address is a burned in address for a paticular NIC. This address
> cannot be changed, hence it represents one unique host. Of course you can
> change out nics, but that is not usually done.

That's not completely true. DEC systems changed their MAC addresses and
SUN systems do also. If you have multiple NIC adapters in a SUN system,
they all use the same MAC address by default unless you change this at
the Open Boot Prompt. For the most part, this is only a problem with
mulithomed systems on the same network segment. If the NICs are in
different segments, they can broadcast the same MAC address. Only VLANs
get upset with having the same MAC address on the same box connected to
different ports.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

"Michael Vilain" <(E-Mail Removed)> wrote in message
news:vilain-(E-Mail Removed)...
> In article <(E-Mail Removed)>,
> "Dana" <(E-Mail Removed)> wrote:
>
> > "John Navas" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > On 12 Oct 2006 13:41:17 -0700, (E-Mail Removed) wrote in
> > > <(E-Mail Removed) .com>:
> > > >Thus, since all users in that IP
> > > >range would share identical hex values in the first 3 digits of their
> > > >MAC address, if you randomized your entire MAC address, you would
stand
> > > >out as the user with a different beginning MAC address than the rest.
> > > >It would be better, for the sake of anonimity, to keep the original
> > > >first 3 numbers and randomize only the last 3. Am I correct?
> > >
> > > Why would you want to change your MAC address? You're identifiable by
> > > your IP address.
> >
> > IP addresses are logical addresses, a host can change his IP address.
> > Where a MAC address is a burned in address for a paticular NIC. This
address
> > cannot be changed, hence it represents one unique host. Of course you
can
> > change out nics, but that is not usually done.
>
> That's not completely true. DEC systems changed their MAC addresses and
> SUN systems do also.

Never said you cannot change MAC addresses. Only said that MAC addresses
were burned into the NIC by the MFG.

> --
> DeeDee, don't press that button! DeeDee! NO! Dee...
>
>
>