[Zeek] MAC Address In Logs

Michał Purzyński michalpurzynski1 at gmail.com
Tue Feb 19 18:21:56 PST 2019 

If testing with a cluster - have you re-deployed your Zeek?

"broctl deploy" needs to be run after each change to scripts and
configuration. You can see what scripts are loaded with the "broctl
scripts" command, so just run

broctl scripts | grep mac

If testing with a pcap - some scripts are not loaded by default when you
just run zeek from the command line. You can try with

bro -C -r <pcap> policy/protocols/conn/mac-logging

to explicitly load this script.



On Tue, Feb 19, 2019 at 5:46 PM TQ <nothinrandom at gmail.com> wrote:

> Hi Chris,
>
> I only see these headers for conn.log:
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
> duration orig_bytes resp_bytes conn_state local_orig local_resp
> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
> tunnel_parents
>
> Using the same commands I always use: sudo ./bro -C -r
> ~/Desktop/pcap/test.pcap
>
> Wireshark shows MAC just fine.  I don't need to rebuild bro again, right?
> Just need to edit the /usr/local/bro/share/bro/site/local.bro file.  The
> only file that shows a column for mac is the dhcp.log
>
> Thanks,
>
> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <chris at cwalsh.org> wrote:
>
>> In my 2.5.3 installation, the comment above the line in question says
>> that the MAC addrs will be logged to the conn.log file.  This is what
>> happens for me.  From there, they can be linked to other logs via the uid
>> field.
>>
>> Are you sure that your conn.log does not have the orig_l2_addr and
>> resp_l2_addr fields?
>>
>> Chris
>>
>> > On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
>> >
>> > Thanks for reply Michael.  So I went into
>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load
>> policy/protocols/conn/mac-logging.  I reran bro and checked all log files,
>> but none contain the MAC address.  This is running on Zeek 2.6.1.  I'm not
>> sure what to expect (i.e. two columns for source/destination MAC?).  Maybe
>> I'm missing another step?
>> >
>> > Thanks,
>>
>> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/15ad4a77/attachment.html

More information about the Zeek mailing list