[Bro] Adding MAC Address Information to Connection Object and Logs
Jan Grashöfer
jan.grashoefer at gmail.com
Mon May 30 02:48:52 PDT 2016
> Alright, just pushed a commit to master, see
> https://github.com/bro/bro/commit/57aef6d49ff2fabfed638ef44100daa7dab06e9b
I had a look, too, and came up to a slightly different solution (see
https://github.com/bro/bro/compare/master...J-Gras:topic/jgras/link-layer-addr).
The main difference is that the MAC addresses follow the
originator/responder pattern, so you could correlate them to IPs.
Another point is that link-layer addresses could change in the course of
a "connection" (see q-in-q.trace for a minimal example). My idea would
be to handle this like the flow label and generate an event once the
addresses change (might be valuable information). I hesitated to
implement this, as this would add per-packet code, which I guess should
only be introduced if really necessary. However, if you are fine with
that extra lines I could add it and merge both solutions.
Best regards,
Jan
P.S.: Seems you forgot to commit your protocols/conn/mac-logging.bro
More information about the Bro
mailing list