** Seth Hall <seth(a)icir.org> [2012-01-31 21:54:45 -0500] **
On Jan 31, 2012, at 5:47 PM, Peter Erickson wrote:
Is there a way to obtain the source and/or
destination mac address from
a connection record? I've been looking through the scripts and BIFs, but
am not seeing anything. I'm wondering it I missed something.
You didn't miss anything. There is actually a very good reason that
the MAC addresses aren't available. Ethernet has no notion of a
connection so a single connection could involve any number of IP
addresses. The connection you are looking into may not even be over
ethernet so no MAC addresses would be available. In most "normal"
cases of border sniffing you will only see the MAC addresses of two
I figured that was the reason, but never hurts to ask.
That said... you could probably make it work by
writing a script that
uses the ARP analyzer to create MAC->IP address mappings and then
looking up the MAC address that is using a particular IP address. You
could even extend the conn.log file with orig_mac and resp_mac fields
so that the MAC addresses would be located there. I don't think
that's something we would ship with Bro directly due to how deployment
specific it would be (would work great on LAN span ports, but for
border sniffing it would be useless). It would be nice to have a
script like that for our contributed scripts repository though!
For the reasons that you just said, I'm hesitant to add mac addresses to
the conn.log because it won't make much sense for 90% of all the traffic.
However, as mentioned offline, I'm re-writing the dhcp script from
pre-2.0 and identifying possible relays will be much easier with the ip
to mac addr mappings. So, with that said, I'll just use the arp script
that I previously provided.
Thanks for the feedback.