[Zeek] MAC Address In Logs
TQ
nothinrandom at gmail.com
Tue Feb 19 17:40:38 PST 2019
Hi Chris,
I only see these headers for conn.log:
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes
history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
Using the same commands I always use: sudo ./bro -C -r
~/Desktop/pcap/test.pcap
Wireshark shows MAC just fine. I don't need to rebuild bro again, right?
Just need to edit the /usr/local/bro/share/bro/site/local.bro file. The
only file that shows a column for mac is the dhcp.log
Thanks,
On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <chris at cwalsh.org> wrote:
> In my 2.5.3 installation, the comment above the line in question says that
> the MAC addrs will be logged to the conn.log file. This is what happens
> for me. From there, they can be linked to other logs via the uid field.
>
> Are you sure that your conn.log does not have the orig_l2_addr and
> resp_l2_addr fields?
>
> Chris
>
> > On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
> >
> > Thanks for reply Michael. So I went into
> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load
> policy/protocols/conn/mac-logging. I reran bro and checked all log files,
> but none contain the MAC address. This is running on Zeek 2.6.1. I'm not
> sure what to expect (i.e. two columns for source/destination MAC?). Maybe
> I'm missing another step?
> >
> > Thanks,
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/605c0672/attachment.html
More information about the Zeek
mailing list