Capturing DHCP events

Zeek
1

I have an experimental git branch with DHCP support here: <https://github.com/grigorescu/bro/tree/remotes/origin/topic/vladg/dhcp&gt;\.

In order to use it, you'll need to do the following:

git clone --recursive git://git.bro.org/bro
cd bro
git remote add dhcp_github GitHub - grigorescu/bro: Bro Network Security Monitor
git pull -s recursive -X theirs dhcp_github remotes/origin/topic/vladg/dhcp

Build Bro with the usual ./configure, make, make install

To enable the DHCP script, add this to local.bro:

@load base/protocols/dhcp

You should then see a dhcp.log. Here's an example from mine:

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id
#types time string addr port addr port string addr interval count
1363813938.019865 4qCaj285Yr1 128.237.242.XX 68 128.237.224.X 67 58:bd:a3:ff:ee:dd 128.237.242.WWW 240.000000 3420159137
1363813938.020145 XLPtua3OiKg 128.237.237.YY 68 128.237.224.Y 67 90:27:e4:99:aa:cc 128.237.237.ZZ 240.000000 3009200041

Please let me know if you run into any problems with the script. I've been running it in production for about a month, and it works well for me.

  --Vlad

2

Juuuuuust waiting for that merge request…. :slight_smile:

  .Seth

3

Indeed! :slight_smile:

Robin

4

Vlad,

Thanks! This is very close to what I was looking for. Any plans to include the DHCP Options Host Name in the logs?

5

Very nice. I’d also find it very useful to have the hostname included.