Brad,

We've had a similar issue before. What I've done is span the untrusted
link of the CAS to another port, connect a laptop and using ethereal (or
your fav sniffer) snag off the data. You can then isolate the traffic
and acquire the source MAC before it get's routed from the CAS. The
command on a Cisco device is:

Source - "monitor session '1' source int 'fa3/1'" (replace what's in '
' with your int and session number)
Destination - "monitor session '1' dest int 'fa3/48'" (again, replace
with your int and session number)

Hope this helps,

Simon

>>> [log in to unmask] 2/2/2006 12:46 PM >>>
Hello-

I have a fun problem!  One of the students in CCA is apparently
burdened
by some sort of a Trojan, hard though that may be to believe.  The
device is beaconing to various Internet addresses on the outside from
a
source address that doesn't belong here.  We've tracked it back to a
particular CCA zone, but can't go much further.   In looking at the
ACL's that are in place, this shouldn't be possible!  We have the
roles
configured that only the valid source IP address should be able to get
through.  

Could it be that CCA isn't really checking source addresses?

Does anybody know if there is a way to log the MAC and other
information
from a particular source IP?  

We are running 3.5.8..

Thanks,

++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++