How do I extract the source MAC from a [UFW BLOCK] entry?

ufw

I have the following UFW Block entry. How do I get the source MAC? I'm getting a ton from the same MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 doing port scanning. If it matters, I'm using 12.04 LTS.

Feb  4 17:46:06 ChromeBox-Server kernel: [663960.096168] [UFW BLOCK] IN=eth0 OUT= MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 SRC=123.129.216.39 DST=192.168.1.10 LEN=48 TOS=0x00 PREC=0x20 TTL=115 ID=49547 PROTO=TCP SPT=1535 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

Solution 1:

MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 can be broken up as

  • destination MAC (in this case this is the MAC address of your card, since it is an incoming packet): e8:11:32:cb:d9:42

  • source MAC: 54:04:a6:ba:22:f8

  • EtherType: 08:00

So if you want to programmatically extract the source MAC you can do something like this:

cat ufw.log | awk '{print $11}' | cut -d ':' -f7-12

Related

How can I set the CPU frequency to always stay at its maximum?
xdotool how to select desktop send F5 and return?
Extracting website URL
My Linux desktop sees my HDMI-connected monitor, but my monitor says "No signal"
How can I convert a whole XML dump from Wikia to Kindle? [closed]
How to remove a file with unprintable charaters in Mac OS X Terminal [duplicate]
Unable to partition MacBook Air (Disk Utility and free space re. local snapshots)
Win8x64, after format/upgrade from Win7x86, "GPT Protective Partition" on secondary drive
How does a software like Cheat Engine work?
Is there a way to make zsh run a command after REPORTTIME?
Roommate lagging internet connection by watching videos from Chinese website. Can QoS fix issue?
Windows 8 stuck at loading screen when booting - black screen when repairing