Question

7

How do I extract the source MAC from a [UFW BLOCK] entry?

rated 0 times [ 7] [ 0] / answers: 1 / hits: 3637 / 1 Year ago, sun, december 25, 2022, 11:55:52

I have the following UFW Block entry. How do I get the source MAC? I'm getting a ton from the same MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 doing port scanning. If it matters, I'm using 12.04 LTS.

Feb  4 17:46:06 ChromeBox-Server kernel: [663960.096168] [UFW BLOCK] IN=eth0 OUT= MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 SRC=123.129.216.39 DST=192.168.1.10 LEN=48 TOS=0x00 PREC=0x20 TTL=115 ID=49547 PROTO=TCP SPT=1535 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

fotres

Add To Favorites

Follow

Total Points: 35

Total Questions: 124

Total Answers: 112

Location: Federated States of Micronesia

Member since Sat, Jun 4, 2022

2 Years ago

answered 1 Year ago ingwhin · Accepted Answer

MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 can be broken up as

destination MAC (in this case this is the MAC address of your card, since it is an incoming packet): e8:11:32:cb:d9:42

source MAC: 54:04:a6:ba:22:f8

EtherType: 08:00

So if you want to programmatically extract the source MAC you can do something like this:

cat ufw.log | awk '{print $11}' | cut -d ':' -f7-12