[Zeek] About FlipRoles function

[周斌]

Hi everybody,
   Sorry my English. I have noticed that in conn.cc(zeek-3.0.1\src) file there is a address translation in the method Connection::FlipRoles. The source code is:
        IPAddr tmp_addr = resp_addr
	  resp_addr = orig_addr
	  orig_addr = tmp_addr


	  uint32 tmp_port = resp_port
	  resp_port = orig_port
	  orig_port = tmp_port
    I have tow questions:
    1. When the function(Connection::FlipRoles) was called？
    2. Not need to think of MAC address？
   
   And I've run into some technical problems recently. In conn.log, You can see:
  "id.orig_h":"Source IP","id.resp_h":"Destination IP",......"orig_l2_addr":"Destination MAC","resp_l2_addr":"Source MAC". 


Thanks,
Zhoubin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191217/5f5da16b/attachment.html