Working with MAC Addresses 41
broken down into a six-pair hexadecimal value—for example, c0-cb-38-ad-2b-c4. The first
half of the MAC is specific to the manufacturer. So, in this case the c0-cb-38 identifies the
vendor. The ad-2b-c4 identifies the device or NIC itself. Switches are considered layer 2
devices because they operate just one level below the layer 3 router functions. Remember,
layer 3 is the network layer. The network layer contains all the IP addressing; layer 2 deals
strictly with MAC addresses (see Exercise 2.1). Note that quite a few switches are available
today that operate at both layer 2 and layer 3, but for simplicity’s sake, and for our pur-
poses, switches are at layer 2.
Working with MAC Addresses
E xE rC i S E 2 .1
Finding the maC address
Since we are mentioning MAC addresses, you should be familiar with what they look like as
well as how to locate one on a given system. With that in mind the following exercise shows
you how to find the MAC address.
■ On a Windows system, open a command window and enter ipconfig/all. The charac-
ters next to the physical address are the MAC address.■ On a Linux system, open a shell and enter ifconfig.
Note that with both systems it is possible to see more than one MAC address if the system
has more than one NIC installed or a virtual adapter.
To extend our conversation on switches a bit further, let’s take a quick peek at broadcast
domains and collision domains since this concept will directly impact our network scan-
ning capabilities. A broadcast domain simply means that traffic sent across the wire will
be broadcast to all hosts or nodes attached to that network. Address Resolution Protocol
(ARP) requests, which are sent to the network to resolve hardware addresses, are an exam-
ple of broadcast traffic. Collision domains are network segments in which traffic sent will
potentially collide with other traffic. In a collision domain, data sent will not be broadcast
to all attached nodes; it will bump heads with whatever other traffic is present on the wire.
So what this means is that when you throw your little penetration testing laptop on a wire
and connect to a switch, you need to be aware that no matter how promiscuous your NIC
decides to be, your captured traffic will be limited to the collision domain (aka switchport)
you are attached to.
Techniques used to convert a switch into a giant hub and thus one large
collision domain will be addressed in future chapters. For now just under-
stand the initial limitations of a switch in terms of sniffing and packet
capture.