Mac address collector in ARP mode

4.1

Author:: IMFirewall Software
HomePage:: http://www.wfiltericf.com

In a multiple-segments network, WFilter can not get clients' mac addresses unless a "mac address collector" is deployed.

"Mac address collector" can gather subnet mac addresses and send to the WFilter server. It works in two modes:

SNMP mode(recommended): get mac addresses from manageable switches via SNMP protocol.
ARP mode: get subnet mac addresses via ARP broadcasting.

ARP mode of mac address collector does not require the SNMP feature in your switch, it simple broadcasts ARP requests to gather mac addresses. Network topology diagram:

Figure 1

As in "Figure 1", WFilter(192.168.1.170) is monitoring multiple subnets from a mirroring port in the switch. To monitor mac addresses in 192.168.50.x, you need to install "mac address collector" in the 192.168.50.x subnet. In ARP mode, "mac address collector" shall be installed in every subnet. Steps:

1. Install the "mac address collector"

As in "Figure 2", install "mac address collector" in a "192.168.50.x" computer, choosing a "192.168.50.x" adapter as the working adapter.

Figure 2

2. WFilter

When "mac address collector" is not installed, WFilter can not monitor the real mac address when this client is in another subnet.

Figure 3(Monitored mac address in WFilter)

Figure 4(Real mac address)

Now WFilter is able to get the real mac address when "mac address collector" is enabled.

Figure 5