[Bro] Obtain src/dst mac addrs from connection record
seth at icir.org
Tue Jan 31 18:54:45 PST 2012
On Jan 31, 2012, at 5:47 PM, Peter Erickson wrote:
> Is there a way to obtain the source and/or destination mac address from
> a connection record? I've been looking through the scripts and BIFs, but
> am not seeing anything. I'm wondering it I missed something.
You didn't miss anything. There is actually a very good reason that the MAC addresses aren't available. Ethernet has no notion of a connection so a single connection could involve any number of IP addresses. The connection you are looking into may not even be over ethernet so no MAC addresses would be available. In most "normal" cases of border sniffing you will only see the MAC addresses of two routers anyway.
That said... you could probably make it work by writing a script that uses the ARP analyzer to create MAC->IP address mappings and then looking up the MAC address that is using a particular IP address. You could even extend the conn.log file with orig_mac and resp_mac fields so that the MAC addresses would be located there. I don't think that's something we would ship with Bro directly due to how deployment specific it would be (would work great on LAN span ports, but for border sniffing it would be useless). It would be nice to have a script like that for our contributed scripts repository though!
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro