31 Jan
2012
31 Jan
'12
2:47 p.m.
Is there a way to obtain the source and/or destination mac address from
a connection record? I've been looking through the scripts and BIFs, but
am not seeing anything. I'm wondering it I missed something. The way
it's looking right now, I'll have to use an ARP script (which I posted
to the list in November) or use the get_current_packet() to extract the
appropriate offsets.
--
Peter Erickson
redlamb19(a)gmail.com
31 Jan
31 Jan
6:54 p.m.
On Jan 31, 2012, at 5:47 PM, Peter Erickson wrote:
Is there a way to obtain the source and/or destination
mac address from
a connection record? I've been looking through the scripts and BIFs, but
am not seeing anything. I'm wondering it I missed something.
You didn't miss anything. There is actually a very good reason that the MAC
addresses aren't available. Ethernet has no notion of a connection so a single
connection could involve any number of IP addresses. The connection you are looking into
may not even be over ethernet so no MAC addresses would be available. In most
"normal" cases of border sniffing you will only see the MAC addresses of two
routers anyway.
That said... you could probably make it work by writing a script that uses the ARP
analyzer to create MAC->IP address mappings and then looking up the MAC address that is
using a particular IP address. You could even extend the conn.log file with orig_mac and
resp_mac fields so that the MAC addresses would be located there. I don't think
that's something we would ship with Bro directly due to how deployment specific it
would be (would work great on LAN span ports, but for border sniffing it would be
useless). It would be nice to have a script like that for our contributed scripts
repository though!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
7:33 p.m.
On Tue, Jan 31, 2012 at 6:54 PM, Seth Hall <seth(a)icir.org> wrote:
It would be nice to have a script like that for our
contributed scripts repository though!
We have a script in the Bro scripts repository that collects IP to MAC
mappings via DHCP ACKs and ARP replies:
http://git.bro-ids.org/bro-scripts.git/blob/HEAD:/roam.bro
Matthias
1 Feb
1 Feb
12:39 p.m.
** Seth Hall <seth(a)icir.org> [2012-01-31 21:54:45 -0500] **
On Jan 31, 2012, at 5:47 PM, Peter Erickson wrote:
I figured that was the reason, but never hurts to ask.
Is there a way to obtain the source and/or
destination mac address from
a connection record? I've been looking through the scripts and BIFs, but
am not seeing anything. I'm wondering it I missed something.
You didn't miss anything. There is actually a very good reason that
the MAC addresses aren't available. Ethernet has no notion of a
connection so a single connection could involve any number of IP
addresses. The connection you are looking into may not even be over
ethernet so no MAC addresses would be available. In most "normal"
cases of border sniffing you will only see the MAC addresses of two
routers anyway. That said... you could probably make it work by
writing a script that
uses the ARP analyzer to create MAC->IP address mappings and then
looking up the MAC address that is using a particular IP address. You
could even extend the conn.log file with orig_mac and resp_mac fields
so that the MAC addresses would be located there. I don't think
that's something we would ship with Bro directly due to how deployment
specific it would be (would work great on LAN span ports, but for
border sniffing it would be useless). It would be nice to have a
script like that for our contributed scripts repository though!
For the reasons that you just said, I'm hesitant to add mac addresses to
the conn.log because it won't make much sense for 90% of all the traffic.
However, as mentioned offline, I'm re-writing the dhcp script from
pre-2.0 and identifying possible relays will be much easier with the ip
to mac addr mappings. So, with that said, I'll just use the arp script
that I previously provided.
Thanks for the feedback.
--
Peter Erickson
redlamb19(a)gmail.com
3596
days inactive
3597
days old
3 comments
3 participants
participants (3)
-
Matthias Vallentin -
Peter Erickson -
Seth Hall