Hi everybody,
Sorry my English. I have noticed that in conn.cc(zeek-3.0.1\src) file there is a address translation in the method Connection::FlipRoles. The source code is: IPAddr tmp_addr = resp_addr; resp_addr = orig_addr; orig_addr = tmp_addr;
uint32 tmp_port = resp_port; resp_port = orig_port; orig_port = tmp_port;
I have tow questions:
When the function(Connection::FlipRoles) was called?
Not need to think of MAC address?
And I’ve run into some technical problems recently. In conn.log, You can see:
“id.orig_h”:“Source IP”,“id.resp_h”:“Destination IP”,…“orig_l2_addr”:“Destination MAC”,“resp_l2_addr”:“Source MAC”.
1. When the function(Connection::FlipRoles) was called?
There are a couple of places but the main one is when Zeek sees a
partial connection that has a well-known port on the *originator*
side. It then assumes that it must have missed the actual first packet
because the well-known port would normally be on the responder side.
So it flips the direction internally before doing anything further.
2. Not need to think of MAC address?
It should be flipping that, too, see the code for
Connection::FlipRoles().
And I've run into some technical problems recently. In conn.log, You can see:
"id.orig_h":"Source IP","id.resp_h":"Destination IP",......"orig_l2_addr":"Destination MAC","resp_l2_addr":"Source MAC".
I'm not quite sure if you're saying you aren't seeing the MAC address
being flipped? Or *they* are flipped, but not the IP addresses? Do you
have a trace that shows what you're observing?