i was reading the back archives of a canadian privacy law blog, and he linked to a judicial decision. apparently as part of an investigation in which were used yahoo chat and google's old 'hello' image trading program the officer was able to determine a suspect's modem's MAC address:

In order to determine who STEPHTOSH was, the officer did a trace on a programme called WHO IS in an effort to learn from where STEPHTOSH was coming. WHO IS is a command program available to the public. The officer was able to ascertain that the person using the name STEPHTOSH was a Rogers Internet customer. The officer was able to obtain the Internet Protocol address, also known as the I.P. There is only one location for an I.P., which is unique to that subscriber. By use of the website known as DNS STUFF.com, one is able to find with which company this I.P. is registered. It was ascertained that the I.P. address used by STEPHTOSH was registered to Rogers Cable, from the Toronto area. The officer also learned the Cable Modem MAC address used by STEPHTOSH. This was all the information the officer was able to amass.

now it was my understanding that the MAC address of any given device can only be accessed if you're only one 'hop' away on the Internet. the suspect in question was in Markham and the officer part of the Toronto Police, so it's conceivable that they both might have used Rogers internet. but would that still put them only one 'hop' away from each other? i thought the first hop after the modem was usually the ISP? and if he'd used a netBIOS query against this guy's machine it would return the ethernet card's MAC, not the modem's. so is this guy on the same rogers subnet as the suspect's cable modem, is that functionality part of google's Hello (i could only think that it would be possible if Hello operated as a virtual LAN or something), does the officer have remote access to the arp caches of the routers at Rogers or is he just full of crap and lying to make his case stronger?

  • 4,397
  • 6
  • 40
  • 51

4 Answers4


Rodgers probably would just give the office the information if asked. It could either be live, or they probably have log of dynamic DHCP entries.

They people writing the article very well might have confused MAC address with IP address even though they said 'Also MAC'.

The original MAC address wouldn't be anywhere in a packet that went over the internet to my knowledge.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • DHCP logs would be my guess, but LE survelliance is pretty well standardized for cable (and DSL) networks, e.g. http://www.cablelabs.com/specifications/PKT-SP-ES-INF-I04-080425.pdf – Gerald Combs Jan 10 '11 at 22:43

I would agree with all other answers if it wasn't cable.

SNMP can give informations about the interfaces, and their respective MAC addresses. And cable modem are often snmp-enabled, even on the wan side (not necessarily on the public WAN IP).

So it might be possible to find the MAC address of the modem, even a few network hops away.

  • 5,287
  • 25
  • 42

In general, the MAC address of a given device is only available to devices that communicate with it at layer 2. Other protocols (like the NetBIOS query you mention) may expose the MAC to higher layers, but in general the MAC stops being sent around after the first layer 3 device (router) that the packet hits.

I can't say what kind of access Canadian law enforcemnet has into Rogers' gear. It has a certain sound of technical bogosity to it, but perhaps law enforcemnet does have some "enhanced" access to the layer-3 or layer-2 infrastructure.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 1
    Rogers, like all Canadian telcos, has equipment installed accessible under legislation not dissimilar from the US CALEA requirements. To the best of my knowledge from a brief brush with it, it is accessible to CSIS (the equivalent of the US CIA). I would be surprised if Toronto Police could get access to the equipment directly, but through the proper channels they might be able to. More likely is that one of the apps used the MAC address as an identifier in a protocol transferred at layer 3 and that such information was transferred to (not intercepted by) the police. – James F Jul 24 '09 at 22:22
  • "(the equivalent of the US CIA)" but much, much, much, less competent. – Ward - Reinstate Monica Jul 24 '09 at 23:38
  • Oh, I don't know. Just because they aren't in the public eye as much doesn't mean they don't know what they're doing. I can attest as much from direct experience with them (not as a member of the organization, just as a bystander caught up in an foreign surveillance investigation) – James F Jul 25 '09 at 11:35

MAC addresses are only relevant at layer-2 (zero hops away to use your convention). Some protocols or applications may embed it in the packet as part of the data stream however. Otherwise the the source and destination MAC is always re-written at each hop along the path.

The one exception to this would be a some kind of tunnel where the original packet is encapsulated in a wrapper packet (i.e. SSH tunnels).

  • 5,403
  • 1
  • 25
  • 32
  • searches regarding google's 'hello', which the officer connected to the suspect on, images are transferred over an 'encrypted connection'. that's all i could find on it. i'm no sort of expert, and this is where my knowledge ends - would this allow them to discover the MAC of the router? (honestly if the MACs of both were used in the encryption it would be a bit silly to use the cable modem's MAC instead of the local ethernet card's, since anyone on the same subnet could then decrypt the communications.) –  Jul 24 '09 at 20:15
  • The fact that MAC address are layer-2 and not normally transmitted and the communication may have been encrypted means that most likely, as other have suggested, that they had the cooperation of the user's ISP. Tracking a user by IP address and then having the ISP identify the specific user is the most likely sequence of events. – Peter Jul 25 '09 at 15:08