Terminal & tcpdump

Question

Level 2

199 points

Terminal & tcpdump

Can anybody enlighten me, please, on the best way way to use tcpdump within Terminal (or anything similar) for the purpose I have outlined below?

We have had a laptop stolen and wish to find out if it ever connects to our network. I have been told that tcpdump, in Terminal, can compile a list of connected computers. In an effort to find out how to use it I opened Terminal and typed "info tcpdump". What followed was page after page after page of instructions and parameters, etc. which did more to bewilder me than enlighten me.

We have the serial number, Airport MAC address and Ethernet MAC address of the laptop, and need to be notified if it connects. Tracking down its physical location will then be relatively straightforward.

What commands (in simple English - for a not-too-technical person) should I use to keep a watch for a particular MAC address? From what I have read so far about packet sniffers, etc., I would imagine there is a filter of some sort which can be set.

Any help, suggestions, etc. would be greatly appreciated. My experience with Terminal has been absolutely minimal and very cautious at that.

Quadra 700 - sys 7.0.1•, PowerMac G4 DP 1.25 GHz - sys 10.4.11

Posted on Aug 25, 2008 9:30 PM

Reply

Answer 1

Camelot

Level 9

58,455 points

Aug 25, 2008 11:13 PM in response to Steven Jones

tcpdump is not likely to help you.

First of all, MAC addresses are only relevant on local networks - you can see the MAC address of any device on your local network - printers, routers, switches, other computers, etc. - but you can't see MAC addresses of remote devices. So having the MAC address isn't going to help you unless the device is plugged into you local network (in which case it probably isn't stolen).

So next down the list is IP address. You're unlikely to be able to trace it from there because any internal/private IP address used inside your LAN (e.g. 192.168.x.x or 10.x.x.x) wouldn't be visible publicly. If the device was connected to the internet you'd see it's IP address, so the issue is really identifying this machine, but you don't know what IP address it would be using.

Now, if the machine was configured to talk to your server (e.g. to retrieve mail) then you may be able to trace it via the mail logs, but that's a far easier proposition than tcpdump. You have to hope, of course, that whoever stole it is stupid enough to connect it to the internet before wiping the hard drive and re-installing a clean OS. If that's happened you have almost no way of tracing the machine remotely.
There are third-party packages that can do this, but they work by pre-installing software on the machine that periodically calls home (to the vendor), and it's installed in such a way it's hard to circumvent. If you don't have such software installed you're likely out of luck, sorry.

Reply

Answer 2

Steven Jones Author

Level 2

199 points

Aug 26, 2008 12:40 AM in response to Camelot

As per my original post, I am only concerned with trying to track it WITHIN the local network. It is a school with both Ethernet and wireless connectivity. It's a remote possibility, but if the person who stole it (most likely a student) is blasé/careless/arrogant/stupid enough to try to use it at school, we would like to find out. Such use would probably be by wireless from what he/she might consider a safe, out-of-sight location and maybe even "showing off" to friends (who might not even know it's stolen and think that it's a recent purchase or gift}. Anyhow, whatever the reasoning for and against the likelihood of it being connected to our network, we would like to be able to notice when it happens, if it happens. I mentioned tcdump and Terminal because I was told by somebody that it might be able to perform that function within the local network. I am open to suggestion as to ANY software which may be able to detect MAC addresses locally (and, if it has a command-line interface, some indication of how to use it). If we decide to try tracking it outside the local network, we would obviously contact the various Internet Service Providers to determine if they could assist at all, as the thief would very likely use it at home. We would bow to the greater wisdom of the ISP's in terms of what can be done. But at the moment we're really just concerned with what we have some control over.

Reply

Answer 3

Aug 26, 2008 2:46 AM in response to Steven Jones

Something along the lines of the following will show you all packets that originate from the machine with the MAC address of 00:1f:5b:80:77:0f and which are passing through the machine you run the command on.

+sudo tcpdump ether src host 00:1f:5b:80:77:0f+

There are a couple of things you should consider with this:

1) When asked for your password you should enter your login password - you must have an administrator account to run tcpdump.

2) You may need to specify the correct interface to tcpdump. You can list all interfaces by running ifconfig in the terminal. For example, on my computer en0 is the wireless card, to force tcpdump to use it I would need to specify it like this: +sudo tcpdump -i en0 ether src host 00:1f:5b:80:77:0f+

Finally, and this is crucial:

3) MAC addresses are only carried between two links on a network. IP addresses are designed for routing across multiple links. This means that if your stolen laptop is being used wirelessly, its MAC address won't be in the packet beyond the wireless base station:

Stolen Laptop
00:00:00:00:00:01
|
|
Base Station
00:00:00:00:00:02
|
|
|
Listening Computer
00:00:00:00:00:03

In this scenario the listening computer would see only packets with the src address of 00:00:00:00:00:02.

Reply

Answer 4

Aug 26, 2008 7:06 AM in response to Steven Jones

Another method may be to poll your arp table for the presence of either of these MAC addresses. On a large network this may not be an option (routers may not forward broadcast, etc.) but it's worth a try:
<pre style="padding-left: .75ex; padding-top: .25em; padding-bottom: .25em; margin-top: .5em; margin-bottom: .5em; margin-left: 1ex; max-width: 80ex; overflow: auto; font-size: 10px; font-family: Monaco, 'Courier New', Courier, monospace; color: #444; background: #eee; line-height: normal">#!/bin/sh

ping -c1 `ifconfig | sed -ne '/broadcast/ s/.* $.*$/\1/p'` >/dev/null
RSLT=`arp -an | egrep "$1"`

if [ "$RSLT" ] ; then
echo `date` Found: $RSLT # Maybe pipe to email and/or log.
fi
</pre>
The following for a couple known hosts on my network:
<pre style="padding-left: .75ex; padding-top: .25em; padding-bottom: .25em; margin-top: .5em; margin-bottom: .5em; margin-left: 1ex; max-width: 80ex; overflow: auto; font-size: 10px; font-family: Monaco, 'Courier New', Courier, monospace; color: #444; background: #eee; line-height: normal">checkmac ' 0:10:20:30:40:50 | 60:70:80:90:a0:b0 '</pre>
Returns:
<pre style="padding-left: .75ex; padding-top: .25em; padding-bottom: .25em; margin-top: .5em; margin-bottom: .5em; margin-left: 1ex; max-width: 80ex; overflow: auto; font-size: 10px; font-family: Monaco, 'Courier New', Courier, monospace; color: #444; background: #eee; line-height: normal">Tue Aug 26 09:55:06 EDT 2008 Found: ? (192.168.1.3) at 0:10:20:30:40:50 on en0 [ethernet] ? (192.168.1.16) at 60:70:80:90:a0:b0 on en0 [ethernet]
</pre>
--
Cole

Reply

Answer 5

Camelot

Level 9

58,455 points

Aug 26, 2008 8:26 AM in response to Steven Jones

As per my original post, I am only concerned with trying to track it WITHIN the local network

OK, it wasn't clear to me that you expected the machine to connect to your network.

It is a school

Ahh, that makes a whole lot of difference 🙂

I am open to suggestion as to ANY software which may be able to detect MAC addresses locally

Since your system will only see the MAC address if the machine in question directly contacts it, MAC addresses may not be the way to go. A broadcast ping may help but not everything will respond to a broadcast ping.

Instead I suggest checking your switches. By definition every switch needs to know where every MAC address is. The switch should have some command such as 'show mac' which will show each MAC address it knows as well as which port to use to get to it. Depending on your network topology that port may link to a base station or another switch. If it's another switch, just follow the chain until you narrow down where it is. Depending on your base station, you may also be able to query it for MAC addresses that it is servicing.

This approach has two significant advantages over MAC tracing via tcpdump.
First of all, they can't hide (switched networks depend on MAC address tables).
Secondly, thanks to arp caches, the switch will remember a MAC for a period of time - typically measured in minutes - which may enable you to narrow down the machine's location even if it's just been turned off.

Reply

Answer 6

Steven Jones Author

Level 2

199 points

Aug 26, 2008 6:25 PM in response to Camelot

Thanks to all three of you who have given me a good mixture of background information and specific things to try. This should assist with our detective work.

We have already established that after it was stolen it was taken into a nearby classroom, removed from its original box and probably hidden in a school bag (we found the empty box) before being taken home. A short time ago, I have also established that it has not yet connected to our network via the server which handles all wireless connections. This server's access logs, which show the MAC addresses of connected computers, do not contain the one for our missing laptop. These logs provide some information (although retrospectively) and there is a certain amount of manual work and time involved in searching through the logs.

From a quick look at the suggestions given I am hopeful that we can automate our searching and get up-to-date information quickly. We are not really very optimistic about retrieving the laptop but if it does appear at school we definitely don't want it to slip by simply because we're not looking! Thanks again for your contributions.

Reply