[Bro] Adding MAC Address Information to Connection Object and Logs

William Baker William.Baker at tietronix.com
Thu May 26 07:54:59 PDT 2016


Hello,

I have a fairly simple use case. I have a database of devices, which contains a device name, manufacturer, IP addresses, and MAC address. I want to be able to take a device from that database, retrieve the MAC address, and use that to query data that has been generated by BRO.

I have successfully gotten MAC address information into the conn.log by using the roam.bro script linked from another message in this chain and extending the conn.log functionality. But, this is getting the MAC address from the DHCP table. I was hoping to get the MAC address directly from the PCAP file from which the connection object is being generated (at least that is my assumption).

My first thoughts were that the connection object that is being passed into many of these methods would get its information from the PCAP file and I could expand that functionality, but this has been a dead end for me.

Does anyone have advice for getting MAC address from a PCAP file that was used to generate different logs in BRO?

Thanks!

William Baker  |  Software Developer
Tietronix Software Inc.  |  1331 Gemini Ave.  STE 300  |  Houston, TX 77058
+1 (281) 404-7253  |  wbaker at tietronix.com<mailto:victor.tang at tietronix.com>  |  www.tietronix.com<http://www.tietronix.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160526/140e2a1b/attachment.html 


More information about the Bro mailing list