Try tcpdump -e

On Sat, 5 Sep 1998, Brian Grayson wrote:

>   A little while ago, I had reason to believe one of the machines on
> our subnet had been broken into -- the subnet was flooded with
> messages from a numerical IP not on our net, to a named host not on
> our net.  And the numerical IP would change every 20 packets or so.
> 
>   Is there a flag to tcpdump that says, print out the ethernet address
> of the sending machine, so that I could tell which of the 200 or so
> machines on the subnet was responsible?  Is there any good
> method/program for translating Ethernet addresses to IPs?  arp looks
> like it'll only do the reverse, and arp -a will only show current cached
> ARP entries, not all entries for the whole subnet.
> 
>   Fortunately, the flooding stopped, but it could start up again any
> minute now....
> 
>   Brian
> 
> 

-----------------------------------------------------------------------------
| Paul Goyette      | Public Key fingerprint:    | E-mail addresses:        |
| Network Engineer  |   0E 40 D2 FC 2A 13 74 A0  |  paul@whooppee.com       |
| and kernel hacker |   E4 69 D5 BE 65 E4 56 C6  |  paul.goyette@ascend.com |
-----------------------------------------------------------------------------