[Bro] Adding MAC Address Information to Connection Object and Logs
jan.grashoefer at gmail.com
Mon May 30 02:48:52 PDT 2016
> Alright, just pushed a commit to master, see
I had a look, too, and came up to a slightly different solution (see
The main difference is that the MAC addresses follow the
originator/responder pattern, so you could correlate them to IPs.
Another point is that link-layer addresses could change in the course of
a "connection" (see q-in-q.trace for a minimal example). My idea would
be to handle this like the flow label and generate an event once the
addresses change (might be valuable information). I hesitated to
implement this, as this would add per-packet code, which I guess should
only be introduced if really necessary. However, if you are fine with
that extra lines I could add it and merge both solutions.
P.S.: Seems you forgot to commit your protocols/conn/mac-logging.bro
More information about the Bro