[Bro] Obtain src/dst mac addrs from connection record

Peter Erickson redlamb19 at gmail.com
Wed Feb 1 12:39:46 PST 2012

** Seth Hall <seth at icir.org> [2012-01-31 21:54:45 -0500] **
> On Jan 31, 2012, at 5:47 PM, Peter Erickson wrote:
> > Is there a way to obtain the source and/or destination mac address from
> > a connection record? I've been looking through the scripts and BIFs, but
> > am not seeing anything. I'm wondering it I missed something.
> You didn't miss anything.  There is actually a very good reason that
> the MAC addresses aren't available.  Ethernet has no notion of a
> connection so a single connection could involve any number of IP
> addresses.  The connection you are looking into may not even be over
> ethernet so no MAC addresses would be available.  In most "normal"
> cases of border sniffing you will only see the MAC addresses of two
> routers anyway.

I figured that was the reason, but never hurts to ask.

> That said... you could probably make it work by writing a script that
> uses the ARP analyzer to create MAC->IP address mappings and then
> looking up the MAC address that is using a particular IP address.  You
> could even extend the conn.log file with orig_mac and resp_mac fields
> so that the MAC addresses would be located there.  I don't think
> that's something we would ship with Bro directly due to how deployment
> specific it would be (would work great on LAN span ports, but for
> border sniffing it would be useless).  It would be nice to have a
> script like that for our contributed scripts repository though!

For the reasons that you just said, I'm hesitant to add mac addresses to
the conn.log because it won't make much sense for 90% of all the traffic.
However, as mentioned offline, I'm re-writing the dhcp script from
pre-2.0 and identifying possible relays will be much easier with the ip
to mac addr mappings. So, with that said, I'll just use the arp script
that I previously provided.

Thanks for the feedback.

Peter Erickson
redlamb19 at gmail.com

More information about the Bro mailing list