Broadband Tech > Security > Security > tracing a mac address

tracing a mac address

Not likely.

Part of the mac address identifies the manufacturer of the device. The rest is defined by that manufacturer. With that, you're narrowing down the possibilities a bit -- i.e. you know that it's a wireless device made by Intel.

You're not narrowing it down too much though. Most Windows laptops I've used in the past five years all use Intel made internal wireless cards.

And... it's not too difficult to spoof a MAC address.

If you know the MAC address of the intruder, why not just block it? That won't help you identify the perp (unless somebody complains that he/she can't connect), but it will secure you a bit more

--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay

reply to horacebork
What do you mean by 'trace'?

If you're seeing a MAC address, it must be on the network that saw it (if wired-LAN side, then on your wired LAN; if WiFi, then directly connected to your router; if WAN side, then it's something else on that wire). MAC addresses are next-hop only.

i have pasted in the items in question from the log (edited).
by trace, i mean find the source device. and it seems to only be associated with the network for a very short period of time.
my router has mac address filtering, but only 'allow', i think.
(edit: seems like i can set a filter for a mac address to 'no access' - good news)
it's an airport extreme base station (4th gen).

also, can i scan my network for a mac address?
---

Feb 27 10:45:41 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 10:45:41 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 10:50:05 Severity:5 Disassociated with station 00:24:d2:ab:05:50
Feb 27 10:50:15 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 10:50:15 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:15:37 Severity:5 Disassociated with station 00:24:d2:ab:05:50
Feb 27 11:15:47 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 11:15:47 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:21:04 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).
Feb 27 11:21:04 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 2).
Feb 27 11:21:05 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).
Feb 27 11:21:05 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 2).
Feb 27 11:21:08 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 11:21:08 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:28:41 Severity:5 Idle timeout for station 00:24:d2:ab:05:50
Feb 27 11:28:41 Severity:5 Disassociating with station 00:24:d2:ab:05:50 (reserved 4).
Feb 27 11:28:41 Severity:5 Disassociated with station 00:24:d2:ab:05:50
Feb 27 11:29:18 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 11:29:18 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:54:31 Severity:5 Idle timeout for station 00:24:d2:ab:05:50
Feb 27 11:54:31 Severity:5 Disassociating with station 00:24:d2:ab:05:50 (reserved 4).
Feb 27 11:54:31 Severity:5 Disassociated with station 00:24:d2:ab:05:50
--
".. the sofa has just vanished." ".. well, that's one mystery less."

quote:

---

MAC address 0024D2
Company Askey Computer

---

If I'm not mistaken, FiOS Actiontek routers have an "Askey Computer" MAC address.

reply to horacebork
If you have a basic home router and this came over wireless, not much you can do to "trace" this MAC address.
a) it's wireless, so WHERE are you going to start looking for this MAC address, start knocking on neighborhood
doors?, and b) as jaykaykay said, it's not that hard to spoof a MAC address if you really wanted to.

If you don't want this guy connecting, make sure your wireless is locked down.

Regards

reply to StuartMW
the wireless is wpa2 with a strong password, but not a full-length (64 byte) password, which i have been avoiding.
maybe it's time to bring that issue to the front.
--
".. the sofa has just vanished." ".. well, that's one mystery less."

reply to Raphion
a fios router on the network would be truly odd because our building is wired for cable and does not have fios.
it has to be something else.

now i just want to scan the other apartments on the network for that mac address.

btw: i have cut my router output to 50% to reduce it's range.
would a vpn prevent others from connecting to my wifi?

also, my wifi is set to not broadcast. not sure how someone picked up the network name.

--
".. the sofa has just vanished." ".. well, that's one mystery less."

reply to horacebork
mac filters are easily circumvented. It will cause trouble for legitimate clients and not affect the bad guys at all.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

reply to StuartMW
In case you didn't know, Windows has an ARP command. This only seems to query the local ARP cache, so may be of limited use.

To resolve a MAC address to an IP address, arp -a | findstr nn-nn-nn-nn-nn-nn

192.168.1.104

now what?

reply to dave

quote:

---

...you can use an arp utility either on a PC or on your router if it supports it's use.

---

stuartmw:

So wait you statically assign IPs, yet you left DHCP on? From a quick Google search I see that good ol' Apple doesn't think you'd ever want to disable DHCP. Here's a workaround: »macnugget.org/projects/aebx/

Since your router has no command line access you can't check the ARP command there so you're basically at the end of the road here.

reply to Raphion

cool name
Askey = ACSII

reply to horacebork

reply to AVD