[Avertive]

I'm seeing address spoofing events in the NG (SPLAT R55) log from an address range I'm told is used for server factory default (for imaging via network: 169.254.x.x). I'm also seeing DHCP requests. Based on this evidence, my thoughts are I have a misconfigured server with a DHCP enabled interface that needs to be shutdown (or assigned a static IP).

To assist server admins in finding the misconfigured box, I'm trying to track down the MAC address used in these netbios broadcasts. Without knowing the MAC, it's almost like finding a needle in a haystack.

I first played around with query options within tracker, but was disappointed to find out MAC information is not logged. I then tried a tcpdump, but then concluded I wasn't seeing any packets despite growing logs because the broadcasts were being dropped by NG before tcpdump could hear it. I then thought to try fw monitor, but I've just read that MAC information cannot be captured this way.

Unfortunately I don't have another *nix system in this particular network (if that wasn't already obvious as I'm trying to debug a netbios problem :P), so am really runnin out of options on how to find this MAC address. Anyone have any ideas of what I might try?

I suppose I could do a cpstop and then run the tcpdump (network is still in pre-production), but I'm looking for a less intrusive means.

Thanks!