Hi,

The scenario is you are running a program on your PC which is
communicating with an external server (on the internet) via some TCP
port. Your PC is connected to the internet via a router/modem that is
also providing NAT. For licencing reasons the external site is
collecting some information about your use of their software (from the
network traffic sent by its program).

I understand that the external site would be able to monitor :

1) your external IP address - ie the WAN side IP address of your
router. The NAT on the router would make sure that this is the source
address of the packets they receive.

2) your internal IP address - ie the IP address of your NIC on your
LAN - which they could detect because their program (running on your
PC) could see it locally and send it with their data.

3) the MAC address of your NIC - which the program (running on your
PC) could find and send similar to the internal IP (2).

4) the default gateway IP address of your NIC - ie likely to be your
routers internal LAN address. They could find this the same way as 2
and 3.

HOWEVER - could they see the MAC address of your router? ie given all
the packets they receive have the routers WAN side IP address as the
source address - wouldn't they also have the routers MAC address
available?

If its possible in theory for such an external site to monitor your
routers MAC address - would it be practical for them to do so, and if
so is this technique actually used that you know of?

thanks - Redd

Greetings, and thanks for the interesting question.

First it will be useful to define what MAC addresses are and how they
are normally used.

Definition:
http://en.wikipedia.org/wiki/MAC_address
"Media Access Control address (MAC address) is a unique identifier
attached to most forms of networking equipment."
Normally a twelve digit hexadecimal number, like: 00-08-74-4C-7F-1D

How it is used:
It's most common use is in the "data link" layer of the OSI model:
http://en.wikipedia.org/wiki/OSI_model

When a computer on a network has an IP address it needs to contact it
sends out an ARP request to all machines on its network segment (using
the broadcast address) and receives an answer from the owner of that
address with its mac address.  It then stores this in an arp table for
later reference.  The mac address is then used to send data directly
to that computer.
http://en.wikipedia.org/wiki/Address_Resolution_Protocol

You can view the arp table on a windows XP machine by typing "arp -a"
from a command prompt.  You can even manipulate the table, though this
is not recommended.
http://www.mytechsupport.ca/content/view/83/306/

What you will see in your arp table are IP addresses that are on your
local network.  You will not see any entries for computer beyond your
closest router.  The reason for this is simple; your computer doesn't
care about anythign past that.

All a computer needs to know is how to get to the next router on the
way to its final destination (next hop).  Once your PC has the mac
address of your closest router and hands the data off to it, then it
is that next router's job to have the mac address of the next router
in line and so on.  Each router is only going to keep arp tables with
mac addresses of devices that are on the same subnets as they are on. 
Remember the way they usually acquire mac addresses is using a
broadcast.  This will only reach as far as the next router.  Routers
will not pass on this information.  If they did the whole Internet
would come to a screeching halt because there would be so many
broadcasts that the real data would be choked out.  They only need to
know how to get to the next hop.
http://en.wikipedia.org/wiki/Broadcast_address

In short, as long as your router is seperated from this server that
you are connecting to by at least one other router (which I'm sure
that you are) they would not have your mac address in their arp
tables.  You can see just how many routers are between you by doing a
"trace router".
http://support.microsoft.com/kb/162326/EN-US/

First you will see your routers Ip address that is local to your
computer,  then you will see the address of your local IPS's router,
then there will most likely be several other router before finally
making to the server you are connecting to.

Each time the data passes through a router the portion of that data
that contains the last mac address is pulled out and the current
router's is put in.  This allows the next router to respond without an
arp request to the previous router.

This is a similar discussion:
http://content.ix2.net/arc/t-4333.html
"There is no way to determine the mac address of your computer, once the
packets have passed through a router. The mac address is used only on a
local network and as a packet leaves your local network, the mac address is
replaced by the mac address of the router. This happens at every router
along the route between you and any other site."

Since your computer has an arp table that contains your routers LAN
side mac address it is possible that they could send that in the same
way they could 2) 3) and 4).  But your router is going to have a
different mac address for it WAN side, which is the part that you
would care about.  Your computer will not have the WAN side mac
address in its arp table because it is on the "other side" of your
router.

All that to say:  They only way they could get your router's WAN-side
mac address would be have access to a device on your local ISP's
network on the same subnet as your router.  This is highly improbable.

Your IP address is about all they get.

I just tested this with two PC's and router.  I put them on different
ports on the router copied a file from one to the other.  Each PC only
sees the mac address of the router, both in their arp tables and in
the actual packets themselves.  There is no reference to the other
PC's mac address.

I hope that this has answered your question.  If you require any
further information please let me know by posting a request for
clarification and I will be glad to assist you further!

Thanks!

Thanks - excellent answer.