[Bro] Using bro to track MAC addresses instead of IPs
James Lay
jlay at slave-tothe-box.net
Fri Jul 31 14:00:09 PDT 2015
On 2015-07-31 02:56 PM, Earl Eiland wrote:
> Our intent is to monitor observed layer 2 traffic.
>
> FROM: M P [mailto:mpselab at gmail.com]
> SENT: Friday, July 31, 2015 3:47 PM
> TO: Earl Eiland <earl.eiland at root9b.com>
> CC: bro at bro.org
> SUBJECT: Re: [Bro] Using bro to track MAC addresses instead of IPs
>
> On Friday, July 31, 2015, Earl Eiland <earl.eiland at root9b.com> wrote:
>
>
>> The connection record includes the IP/port pair. Is there a way to
>> include MAC addresses?
>>
>> Best Regards,
>>
>> Earl Eiland,
>>
>> Sr. Cyber Security Engineer,
>>
>> Emerging Technologies, root9B,
>>
>> San Antonio, Texas
>
> Wouldn't MAC addresses be of less value, since Bro would see the MAC
> address of the last device the packet been through before reaching
> Bro? Or May be your attempting to achieve something else.
>
> MP
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
I would think arpwatch might be a better fit for that:
http://www.tecmint.com/monitor-ethernet-activity-in-linux/
James
More information about the Bro
mailing list