Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Mac address spoof search?

shandman
Path Finder
‎10-11-2017 12:08 AM

I've been trying to get this to work with my data but can't seem to get it to work. https://answers.splunk.com/answers/230665/how-to-edit-my-search-to-filter-and-only-return-du.html?ut...

here is the query i'm running.
index=windows sourcetype=dhcpsrvlog ... | stats dc(dhcp_mac) as macCount values(dhcp_mac) as mac by dhcp_hostname | search macCount>1

I run that for the past 30 days, during which time I have spoofed mac addresses with 0 results coming up with this search. Am I missing something?

Labels (1)
Labels
Tags (2)
0 Karma
Reply

shandman
Path Finder
‎10-11-2017 01:25 PM

I think I'm close. Just need a little help. here is my current search
index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by raw_mac | where count = 2

I'm trying to get results for any 2 systems sharing the same mac address.

Thanks again for the help guys.

0 Karma
Reply

shandman
Path Finder
‎10-11-2017 09:39 AM

Ah. I see. No the search is showing with dest_mac and dest_nt_host

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-11-2017 09:43 AM

Then your query should be 

index=windows sourcetype=dhcpsrvlog ... | stats dc(dest_mac) as macCount values(dest_mac) as mac by dest_nt_host| search macCount>1
0 Karma
Reply

shandman
Path Finder
‎10-11-2017 10:20 AM

Now there is a plethora of hosts showing up with slightly different mac addresses. 1340 results . Looks like maybe they have multiple network interfaces? How can I adjust the search to show when another host takes on the mac address of a host? Thus showing when a mac address has been spoofed? Thanks guys.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎10-11-2017 06:22 AM

Hi @shandman,

When you run this query index=windows sourcetype=dhcpsrvlog ... are you getting dhcp_mac and dhcp_hostname in interesting field on left hand side in splunk?

0 Karma
Reply

blacknight659
Explorer
‎10-11-2017 07:53 AM

Same question, But make sure you are in Smart or Verbose mode when you check this.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...