[Bro] Using bro to track MAC addresses instead of IPs

Earl Eiland earl.eiland at root9b.com
Fri Jul 31 13:56:33 PDT 2015


Our intent is to monitor observed layer 2 traffic.

From: M P [mailto:mpselab at gmail.com]
Sent: Friday, July 31, 2015 3:47 PM
To: Earl Eiland <earl.eiland at root9b.com>
Cc: bro at bro.org
Subject: Re: [Bro] Using bro to track MAC addresses instead of IPs



On Friday, July 31, 2015, Earl Eiland <earl.eiland at root9b.com<mailto:earl.eiland at root9b.com>> wrote:
The connection record includes the IP/port pair.  Is there a way to include MAC addresses?

Best Regards,

Earl Eiland,
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas

Wouldn't MAC addresses be of less value, since Bro would see the MAC address of the last device the packet been through before reaching Bro? Or May be your attempting to achieve something else.

MP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150731/aa409e16/attachment.html 


More information about the Bro mailing list