[Bro] Adding MAC Address Information to Connection Object and Logs

Jan Grashöfer jan.grashoefer at gmail.com
Thu May 26 08:37:45 PDT 2016


Hi William,

> I have successfully gotten MAC address information into the conn.log by using the roam.bro script linked from another message in this chain and extending the conn.log functionality. But, this is getting the MAC address from the DHCP table. I was hoping to get the MAC address directly from the PCAP file from which the connection object is being generated (at least that is my assumption).
> 
> My first thoughts were that the connection object that is being passed into many of these methods would get its information from the PCAP file and I could expand that functionality, but this has been a dead end for me.

Bro's concept of connections is based on layer 3 and upwards (its very
TCP-like, sometimes makes it difficult to understand how UDP traffic is
abstracted). In theory layer 2 addresses are independent and might even
vary in the course of a connection. Therefore the question would be:
Which MACs of which packets do you want to log?

In general the raw_packet event (see [1]) provides access to layer 2
addresses. The current master includes a new function called
get_current_packet_header that might be more comfortable to use.

Best regards,
Jan

[1]
https://www.bro.org/sphinx-git/scripts/base/bif/event.bif.bro.html#id-raw_packet


More information about the Bro mailing list