[Bro] Modify mac address
Christian Kreibich
christian at icir.org
Tue Oct 12 12:43:41 PDT 2010
On Tue, 2010-10-12 at 13:55 -0400, SONG ZHAO wrote:
> Hi,
> I want to modify the mac address of network packets before or after
> the packets handled by bro.
> Could you tell me how to modify the mac address using bro? Do I need
> to revise the source code?
You would likely have to revise source code, but without more context
it's unclear whether Bro is a good choice for what you want to do. If
all you want is Ethernet address rewriting, there are other tools that
likely already do what you want. tcprewrite provides basic Ethernet
address rewriting. For more flexibility, you could write a little Scapy
script as shown below. As a last resort you could write a Netdude plugin
that does what you need.
map = {'00:50:da:53:8a:01': '11:22:33:44:55:66',
'00:12:7f:eb:3b:cf': '77:88:99:aa:bb:cc'}
for pkt in rdpcap('in.trace'):
for key, val in map.items():
if pkt.src == key:
pkt.src = val
if pkt.dst == key:
pkt.dst = val
wrpcap('out.trace', pkts)
--
Cheers,
Christian
More information about the Bro
mailing list