* [Thu, May 16, 2013 at 04:28:04PM -0700] Ryan Hiebert:
I also thought of a 3, but I'm not sure if its reasonable or possible: 3. Get iptables or similar to log unknown mac/ip pairs that it sees.
Maybe you can use arptables for this. But I would go for the easiest path: just log any NEW (allowed) forwarded connection.
-A FORWARD -i ${if_in} -m state --state NEW -j LOG(or -m conntrack --ctstate NEW ) then postprocess the logs when needed or use -j ULOG|NFLOG for fancy things. This way you have the (MAC) originator for every "established" connection.
Ciao, Gian Piero.