[Bro] Adding MAC Address Information to Connection Object and Logs

Jan Grashöfer jan.grashoefer at gmail.com
Tue May 31 06:45:01 PDT 2016


> Yeah, I can see moving them into the endpoints, that also addresses
> flipping them if the connection switches roles. If you turn that into
> a pull request, I'll merge it in. (I think I'd change the dynamic
> allocations for orig/resp_l2_addr to static arrays to avoid the memory
> operations.)

I will have a look this week and open a pull request.

>> Another point is that link-layer addresses could change in the course of
>> a "connection" (see q-in-q.trace for a minimal example). My idea would
>> be to handle this like the flow label and generate an event once the
>> addresses change (might be valuable information).
> 
> I'm hesistant on this too, not sure that's common enough to warrant
> the extra logic. It's also part of the fundamental issue that Bro's
> connection-oriented nature sometimes has trouble reflecting layer-2
> semantics (VLANs could in principle change too). So I would skip this
> at least until a clear need arises.

I don't know how complex the plugin logic is, but maybe plugins can be
used to support optional layer 2 stuff like this.

Best regards,
Jan


More information about the Bro mailing list