MAC
MAC stands for Media Access Control. An Ethernet card has a MAC address to identify it which is identified in the OSI layer 2 frame that it outputs to speak on the LAN. This is a 48 bit number which makes the address space larger than the Internet's address space. The first 24 bits are registered with the IEEE, and thus you can identify what Ethernet card maker is by its address (and possibly what model of card as well).
A MAC address with all bits sets (also known as FF:FF:FF:FF:FF:FF) is a special address and means that it is a broadcast (all stations on a LAN are addressed). A MAC address where the first bit is set indicates that this address is a multicast address. Since the bitorder of Ethernet is little-endian meaning the least significant bit is first it really is the very first bit as the address is read through the Ethernet.
To see the MAC addresses of the machines on your subnet:
$ arp -a
MAC address/arp spoofing
There are a few reasons one might be concerned, or interested about such spoofing:
- To get past MAC address filtering on a router.
- Sniffing other connections on the subnet.
- If someone is using a spoofed MAC address, then the real, burned in MAC address will not show up in IDS/system logs.
- DoS (pretending to be the gateway of the subnet, for example).
Software:
ettercap is used for man in the middle attacks on LAN.
dsniff includes arpspoof, dnsspoof, and macof.