[Bro] Adding MAC Address Information to Connection Object and Logs
Robin Sommer
robin at icir.org
Mon May 30 12:23:43 PDT 2016
On Mon, May 30, 2016 at 11:48 +0200, Jan Grashöfer wrote:
> The main difference is that the MAC addresses follow the
> originator/responder pattern, so you could correlate them to IPs.
Yeah, I can see moving them into the endpoints, that also addresses
flipping them if the connection switches roles. If you turn that into
a pull request, I'll merge it in. (I think I'd change the dynamic
allocations for orig/resp_l2_addr to static arrays to avoid the memory
operations.)
> Another point is that link-layer addresses could change in the course of
> a "connection" (see q-in-q.trace for a minimal example). My idea would
> be to handle this like the flow label and generate an event once the
> addresses change (might be valuable information).
I'm hesistant on this too, not sure that's common enough to warrant
the extra logic. It's also part of the fundamental issue that Bro's
connection-oriented nature sometimes has trouble reflecting layer-2
semantics (VLANs could in principle change too). So I would skip this
at least until a clear need arises.
> P.S.: Seems you forgot to commit your protocols/conn/mac-logging.bro
Fixed!
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list