Why do we see long MAC address in iptables log message?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux

Issue

  • Why do we see long MAC address in iptables log message?
  • Following command has been executed in order to log the iptables log for ftp service :
iptables -A INPUT  -j LOG -p tcp --dport 22 --log-level warn

Found following messages in log file:

Feb 15 07:57:25 backupR3 kernel: IN=eth1 OUT= MAC=00:60:dd:45:67:ea:00:60:dd:45:4c:92:08:00 SRC=199.66.90.237 DST=199.21.151.198 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=922 DF PROTO=TCP SPT=49601 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0
  • Why MAC address is so long?

Resolution

  • The MAC address logged in the file is longer than expected, as it is indicating several pieces of information:
MAC=00:60:dd:45:67:ea:00:60:dd:45:4c:92:08:00
  • This can be broken up into three different pieces of information. Souce MAC, Destination MAC and frame type.
00:60:dd:45:67:ea: Destination MAC=00:60:dd:45:67:ea  
00:60:dd:45:4c:92: Source MAC=00:60:dd:45:4c:92  
08:00 : Type=08:00 (ethernet frame carried an IPv4 datagram)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.