[Bro] IP <-> MAC Address

Maxime Lambert maxime.lambert at insa-cvl.fr
Thu Jun 30 01:19:34 PDT 2016


Hi everyone, 

Is there a way to obtain the source and/or destination mac address from a connection record ? 

I've been looking through the scripts roam.bro, known-devices.bro and known-devices-and-hostnames.bro, but I'am not sure how it works. I'm wondering it I missed something. I've this 2 files : 

cat /opt/bro/logs/current/ known_devices.log 
#separator \x09 
#set_separator  , 
#empty_field    (empty) 
#unset_field    - 
#path   known_devices 
#open   2016-06-30-09-08-33 
#fields ts      mac     dhcp_host_name 
#types  time    string  string 
1467260412.707446       00:11:22:33:44:55       android-684541321657432 
1467260416.339490       00:11:22:33:44:66       android-213857946354179 
1467260447.207524       00:11:22:33:44:77      iPhone-XXXX 
1467261341.099450       00:11:22:33:44:88      iPhone -YYYY 
1467271833.863474       00:11:22:33:44:99      iPhone -ZZZZ 
1467272311.523445       00:11:22:33:44:00       bitcoin-computer 
1467272443.463545       00:11:22:33:44:11      iPhone-UUUU 
1467272517.623516       00:11:22:33:44:22      iPhone-TTTT 
1467272692.387523       00:11:22:33:44:33      iPhone-VVVV 
1467273783.775451       00:11:22:33:44:44      SDM-00239 
1467273899.667460       00:11:22:33:33:55      iPhone-AAAA 

AND 

cat /opt/bro/logs/current/ dhcp.log 
#separator \x09 
#set_separator  , 
#empty_field    (empty) 
#unset_field    - 
#path   dhcp 
#open   2016-06-30-09-51-23 
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       mac     assigned_ip     lease_time      trans_id 
#types  time    string  addr    port    addr    port    string  addr    interval        count 
1467264083.815462       C4jfqvVzuapDS69dz      255.255.255.255 68      192.X.X.X     67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000    146703799 
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68      192.X.X.X     67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000    146703799 
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68      192.X.X.X     67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000    146703799 
1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68      192.X.X.X     67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000    146703799 


So what I want is a fusion between dhcp.log and know-devices.log to know to each devices their IP and MAC address. 


I think bro must monitor ARP Request/Response to an output log file like this : 

ts                                     string (Mac Addr)              string (hostname)                        string (IP Addr) 
1467260401.707446       XX:XX:XX:XX:XX:XX        Android-XXXXXXXXXXX            X.X.X.X 
Or maybe anyone has another solution ? 

Thank you for your help. 


Maxime Lambert 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160630/91f1b343/attachment.html 


More information about the Bro mailing list