The MAC Addresses on the right in the firewall logs are not the MAC Address from the IPs that trying to get in my network, it is the MAC Address from the ISP Gateway which is connected with my RED Interface and in all of my firewall entries which where Dropped from the internet always the same.
I think you have a different connection type with the Internet
In the logs of IPS there are no MAC Addresses given also.
Only if the entries in the firewall are from the intern network then the MAC Addresses where shown in the log.
At the moment i collect the specific IPs and at these as saved hosts in a group which is blocked with reject in the firewall, log off. I hope this helps.
If you had the packet.
It is interesting that the IPS only logs the IP.
And the firewall logs the IP and the MAC.
As in picture posted at 17.
Same MAC different IP addresses.
Not sure
How does wire-shark work?
Looks like there is a Addon called tshark. That may do the trick.
The only let down the blocking these people is random IP addresses,
ever changing MAC addresses. They will probably age out.
Hack at you all day with a VM. Then hack it you tomorrow with a new VM. different MAC every time.
Routing works on networks. Networks are defined by IPs ( even with IPv6 ).
MACs are the unique addresses of a device inside a network. Uniqueness is necessary for unambiquous addition of a device ( no other device has its MAC ).
The MAC is the address of the routing device. On red, for example, all packets are sent by you internet access device ( modem, router, … ). Therefore the level 2 address ( MAC ) is the address of this device.
That is incorrect. The MAC address is updated in the packet for every hop to the MAC Address for the next interface that it needs to send the packet to.
So every hop the MAC Address is replaced in the packet and you finally see the packet with a MAC Address for the Gateway that you use (ie, your ISP).
My smartphone is using everytime a different MAC address when it connects with the WLAN access points, so you can’t say “uniquie” hardware adress in the network.
I can change Hardware MAC addresses from every network device, so it is not possible to identify this network card (or PC/maschine/device) after a reconnect, if I change the MAC in the time between.
Edit: And if every hob means a change of the MAC address in the packet header, why is this not the case using switches? And if so, how finds the paket his way back of the hunderts of network devices the paket go through on his way?