As stated previously the router has no bearing on what MAC address the data packet sent back contained. It wouldn't be reading a MAC address attached to the data packet externally, because yes, the router would be stripping that information and adding its own. The MAC of the computer that the data packet originated on would be contained in the actual data of the packet (i.e. untouched by the router). It's possible to spoof a MAC address, correct, but unless you were trying to give each instance of eqgame.exe it's own MAC address information on the same machine, why would you bring that up? It has no bearing on someone being caught reporting back two accounts logged in from the same MAC. You likely wouldn't purposely spoof a second PC to have the same MAC as a PC on your own network, as that generally defeats the purpose.
It's possible this is used in conjunction with the system process list they get back, yes, similar to how they can see if macroquest.exe is running and such. Same MAC address listed for each account logged in AND the process list shows two copies of eqgame.exe in memory? Yep, 95% of the time that would be someone boxing.
|