We added a feature to alert you whenever a new MAC address is seen by the system. The system learns about MAC addresses either through analyzing the DHCP protocol or finding new MAC addresses in the normal network traffic (if you are mirroring/spanning the endpoints’ MAC addresses).
It generates messages of the form:
MACwatch <IP_ADDRESS> <MAC_ADDRESS> <Flow information>
Every time the system sees a new MAC address.
IP_ADDRESS is the address using the newly discovered MAC
MAC_ADDRESS is the new MAC
<Flow Information> is the flow information we used to discover the new MAC (typically a DHCP lease, but it could also be a UDP or TCP packet if you will span the MAC addresses from the switch).
See a screen shot from our lab firewall sensor.
After the update, you will start getting messages of MAC addresses never seen before. After a while, only new MAC addresses never seen before will start showing up and you can setup a classification matching MACwatch to email yourself, block communication, or both.
The MAC addresses are available for search in the assets page under a new column called MAC. The same IP address can have multiple MACs simultaneously; and MACs can move around from IP to IP due to DHCP leasing. But, no matter what, a previously unseen MAC will generate a MACwatch message. Some devices (like printers) can go to sleep for days; so you might see some legitimate MACwatch messages for a while.
As always, let us know if you have any questions at firstname.lastname@example.org.
The MetaFlows Team