tcptrace with MAC addresses

What I'm trying to do is log usage on one of my computers. I have been
using tcptrace to give a summary of transactions dumped by tcpdump. The
problem is, however, tcptrace will only
give you ip information, no mac information in the summary. I am running
dhcp and ips get reused quite frequently. I would like to have a
tcptrace-like summary but with mac addresses listed as well.

Does anyone know a good way of doing this without having to edit the
tcptrace code?

-ryan

"Ryan" <rcdetert@at_nospamz.ucdavis.edu> wrote in message news:<pan.2004.06.06.07.07.46.24340@at_nospamz.ucd avis.edu>...
> What I'm trying to do is log usage on one of my computers. I have been
> using tcptrace to give a summary of transactions dumped by tcpdump. The
> problem is, however, tcptrace will only
> give you ip information, no mac information in the summary. I am running
> dhcp and ips get reused quite frequently. I would like to have a
> tcptrace-like summary but with mac addresses listed as well.
>
> Does anyone know a good way of doing this without having to edit the
> tcptrace code?
>
> -ryan

Are you trying to "capture" the src MAC of incoming traffic? If the
packets are not on the local segment, all you will get is the MAC of
your GW router. The internet doesn't use ethernet anyway.

Use Ethereal to examine some full packets of exchanges and you'll
better (?) understand what is happening as MAC src is changed at each
hop (on a lan) and why it makes no sense for "normal" internet IP
traffic.

MAC addresses are only meaningful on the locally connected segment.
The whole idea of IP is to _separate_ data link addressing schemes
from IP addressing, otherwise you could not communicate across
technologies -- it's tough enough as it is ;-)

If you would state your purpose there may be another way to achieve it
....

hth,
prg
email above disabled

P Gentry wrote:
> "Ryan" <rcdetert@at_nospamz.ucdavis.edu> wrote in message news:<pan.2004.06.06.07.07.46.24340@at_nospamz.ucd avis.edu>...
>
>>What I'm trying to do is log usage on one of my computers. I have been
>>using tcptrace to give a summary of transactions dumped by tcpdump. The
>>problem is, however, tcptrace will only
>>give you ip information, no mac information in the summary. I am running
>>dhcp and ips get reused quite frequently. I would like to have a
>>tcptrace-like summary but with mac addresses listed as well.
>>
>
> [snip]
>
> MAC addresses are only meaningful on the locally connected segment.
> The whole idea of IP is to _separate_ data link addressing schemes
> from IP addressing, otherwise you could not communicate across
> technologies -- it's tough enough as it is ;-)

P:
MAC addresses are included in the data payload of DHCP packets. It's
how the DHCP server keeps track of who's got what address.

Ryan:
You could write your own filter for tcpdump output tailored just for
DHCP packets, perhaps piping the text version through a script. That's
probably a little more ambitious than you intend to get, though.

Ryan <rcdetert@at_nospamz.ucdavis.edu> wrote:

> What I'm trying to do is log usage on one of my computers.

It sounds like you want to do IP Accounting. Have a look it ip-acct

Or are you wanting to monitor only a particular application layer
protocol, such as HTTP or FTP? Do you also want to be able to say where
they went? If so, your best bet is to put in a (possibly transparent)
proxy.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Allen Kistler <(E-Mail Removed)> wrote in message news:<z3Kwc.20499$(E-Mail Removed) gy.com>...
> P Gentry wrote:
> > "Ryan" <rcdetert@at_nospamz.ucdavis.edu> wrote in message news:<pan.2004.06.06.07.07.46.24340@at_nospamz.ucd avis.edu>...
> >
> >>What I'm trying to do is log usage on one of my computers. I have been
> >>using tcptrace to give a summary of transactions dumped by tcpdump. The
> >>problem is, however, tcptrace will only
> >>give you ip information, no mac information in the summary. I am running
> >>dhcp and ips get reused quite frequently. I would like to have a
> >>tcptrace-like summary but with mac addresses listed as well.
> >>
> >
> > [snip]
> >
> > MAC addresses are only meaningful on the locally connected segment.
> > The whole idea of IP is to _separate_ data link addressing schemes
> > from IP addressing, otherwise you could not communicate across
> > technologies -- it's tough enough as it is ;-)
>
> P:
> MAC addresses are included in the data payload of DHCP packets. It's
> how the DHCP server keeps track of who's got what address.
>
> Ryan:
> You could write your own filter for tcpdump output tailored just for
> DHCP packets, perhaps piping the text version through a script. That's
> probably a little more ambitious than you intend to get, though.

Well, not to short-circuit the idea -- it's good as far as it goes and
a bit more with some neighbor disovery arps -- but I assume the OP was
_hoping_ to get MAC src addresses of the src IPs for some purpose (IPs
beyond what DHCP and rarp reveal as passing local traffic). Problem
is that MACs don't propogate down the line like IPs do.

Which leaves us with the original purpose for wanting MACs of incoming
IP packets -- presumably the MACs "physically" associated with the src
IPs ...

regards,
prg
email above disabled