Log traffic from a specific MAC address?
cbad411
Newbie

Hi Team,

I have a sketchy Chinese IP camera, a Dericam.  

For security, I've identified it's MAC address, and told my firewall to block all outgoing traffic.   Firewall is built into my Verizon router Fios-G1100.  I made a network object, and added the MAC address of the Dericam, then said block all traffic to/from internet.

How can I generate a security log, if the Dericam attempts to make an outside connection?  

thanks

Carl

0 Likes
1 Solution

Correct answers
Re: Log traffic from a specific MAC address?
Cang_Household
Community Leader
Community Leader

You can log blocked connection attempts by going to Firewall > Security Logs > Settings > Check relevant categories.

image

You need to check the log at a different place by going to System Monitoring > System Logging > Firewall Log.

Here is an example of the log entry with interpretations.

image

Red box: IN: in-bound interface, br-lan stands for bridged LAN (including 4 port switch, wireless APs, and coax). OUT: out-bound interface, eth1 stands for the WAN Ethernet interface.

Green underlined: MAC address of router (48:5d:36 is the OUI of Verizon Business).

Orange underlined: MAC address of device initiating connection (could be your IP camera).

SRC: source IP address

DST: destination IP address

TTL: time to live. A small number means the packet passed over too many routers. The packet likely comes from oversea sources.

PROTO: next encapsulation protocol. Could be TCP, UDP, ICMP, or even AH and ESP for VPN traffic.

SPT: source port.

DST: destination port. From the port number you can identify the application layer protocol such as HTTP/HTTPs, SSH, FTP, or even ISAKMP for IPsec VPN key exchange.

If you are too worried, you can even set up a Syslog server to receive the logs generated by G1100.

View solution in original post

Re: Log traffic from a specific MAC address?
Cang_Household
Community Leader
Community Leader

You can log blocked connection attempts by going to Firewall > Security Logs > Settings > Check relevant categories.

image

You need to check the log at a different place by going to System Monitoring > System Logging > Firewall Log.

Here is an example of the log entry with interpretations.

image

Red box: IN: in-bound interface, br-lan stands for bridged LAN (including 4 port switch, wireless APs, and coax). OUT: out-bound interface, eth1 stands for the WAN Ethernet interface.

Green underlined: MAC address of router (48:5d:36 is the OUI of Verizon Business).

Orange underlined: MAC address of device initiating connection (could be your IP camera).

SRC: source IP address

DST: destination IP address

TTL: time to live. A small number means the packet passed over too many routers. The packet likely comes from oversea sources.

PROTO: next encapsulation protocol. Could be TCP, UDP, ICMP, or even AH and ESP for VPN traffic.

SPT: source port.

DST: destination port. From the port number you can identify the application layer protocol such as HTTP/HTTPs, SSH, FTP, or even ISAKMP for IPsec VPN key exchange.

If you are too worried, you can even set up a Syslog server to receive the logs generated by G1100.