<div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Chris,<div><br></div><div>I only see these headers for conn.log:</div><div>#fields<span style="white-space:pre"> </span>ts<span style="white-space:pre"> </span>uid<span style="white-space:pre"> </span>id.orig_h<span style="white-space:pre"> </span>id.orig_p<span style="white-space:pre"> </span>id.resp_h<span style="white-space:pre"> </span>id.resp_p<span style="white-space:pre"> </span>proto<span style="white-space:pre"> </span>service<span style="white-space:pre"> </span>duration<span style="white-space:pre"> </span>orig_bytes<span style="white-space:pre"> </span>resp_bytes<span style="white-space:pre"> </span>conn_state<span style="white-space:pre"> </span>local_orig<span style="white-space:pre"> </span>local_resp<span style="white-space:pre"> </span>missed_bytes<span style="white-space:pre"> </span>history<span style="white-space:pre"> </span>orig_pkts<span style="white-space:pre"> </span>orig_ip_bytes<span style="white-space:pre"> </span>resp_pkts<span style="white-space:pre"> </span>resp_ip_bytes<span style="white-space:pre"> </span>tunnel_parents<br></div><div><br></div><div>Using the same commands I always use: sudo ./bro -C -r ~/Desktop/pcap/test.pcap</div><div><br></div><div>Wireshark shows MAC just fine. I don't need to rebuild bro again, right? Just need to edit the /usr/local/bro/share/bro/site/local.bro file. The only file that shows a column for mac is the dhcp.log</div><div><br></div><div>Thanks,</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <<a href="mailto:chris@cwalsh.org">chris@cwalsh.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In my 2.5.3 installation, the comment above the line in question says that the MAC addrs will be logged to the conn.log file. This is what happens for me. From there, they can be linked to other logs via the uid field.<br>
<br>
Are you sure that your conn.log does not have the orig_l2_addr and resp_l2_addr fields?<br>
<br>
Chris<br>
<br>
> On Feb 19, 2019, at 5:38 PM, TQ <<a href="mailto:nothinrandom@gmail.com" target="_blank">nothinrandom@gmail.com</a>> wrote:<br>
> <br>
> Thanks for reply Michael. So I went into /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load policy/protocols/conn/mac-logging. I reran bro and checked all log files, but none contain the MAC address. This is running on Zeek 2.6.1. I'm not sure what to expect (i.e. two columns for source/destination MAC?). Maybe I'm missing another step?<br>
> <br>
> Thanks,<br>
<br>
</blockquote></div>