In theory, the MAC address is only visible for computers
on the same segment, and it isn't possible to discover
the MAC address of a remote computer. However, our product
will often display the MAC address of a remote intruder.
It does so through the "backtrace" component, which queries
the remote computer for its address. This may find the MAC
address even when the intrusion detection component cannot
see it.
Every Ethernet adapter contains a unique "MAC address".
This is useful forensic evidence that can be used
to track down cyber-criminals. For example, the MAC address
that was imbedded within the Melissa virus helped track
down its creator. For this reason, our product will attempt
to read the MAC address from the intruder.
The MAC address appears in every packet sent by a computer,
but it only is visible as far as the first router.
Thus, it is easy to see the MAC address of your neighbor
on the local Ethernet, cable-modem network, or DSL network,
but the MAC address is stripped off when it leaves
the local area.
However, our product will often display the MAC address of the
intruder.
Even though our product cannot see the MAC address in the normal
packets sent to it, it can still query the intruder asking
for the MAC address. This reveals the MAC address in
the "payload" of the TCP/IP packet. The most common source
of this information is "NetBIOS NodeStatus Query", from which
our product discovers not only the MAC address, but also the
logon name and computer name.
Therefore, even if it is impossible to find the MAC address
in the most obvious place (Ethernet headers), our product may
still discover it in unobvious places (NetBIOS payload).
