IP <-> MAC Address

Maxime_Lambert · June 30, 2016, 8:19am

Hi everyone,

Is there a way to obtain the source and/or destination mac address from a connection record ?

I've been looking through the scripts roam.bro, known-devices.bro and known-devices-and-hostnames.bro, but I'am not sure how it works. I'm wondering it I missed something. I've this 2 files :

cat /opt/bro/logs/current/**known_devices.log**
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   known_devices
#open   2016-06-30-09-08-33
#fields ts      mac     dhcp_host_name
#types  time    string  string
1467260412.707446       00:11:22:33:44:55       android-684541321657432
1467260416.339490       00:11:22:33:44:66       android-213857946354179
1467260447.207524       00:11:22:33:44:77      iPhone-XXXX
1467261341.099450       00:11:22:33:44:88      iPhone-YYYY
1467271833.863474       00:11:22:33:44:99      iPhone-ZZZZ
1467272311.523445       00:11:22:33:44:00       bitcoin-computer
1467272443.463545       00:11:22:33:44:11      iPhone-UUUU
1467272517.623516       00:11:22:33:44:22      iPhone-TTTT
1467272692.387523       00:11:22:33:44:33      iPhone-VVVV
1467273783.775451       00:11:22:33:44:44      SDM-00239
1467273899.667460       00:11:22:33:33:55      iPhone-AAAA

AND

cat /opt/bro/logs/current/**dhcp.log**
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   dhcp
#open   2016-06-30-09-51-23
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       mac     assigned_ip     lease_time      trans_id
#types  time    string  addr    port    addr    port    string  addr    interval        count
1467264083.815462       C4jfqvVzuapDS69dz      255.255.255.255 68      192.X.X.X     67      XX:XX:XX:XX:XX:XX       192.X.X.X    86400.000000    146703799
1467264083.815462       C4jfqvVzuapDS69dz      255.255.255.255 68      192.X.X.X     67      XX:XX:XX:XX:XX:XX       192.X.X.X    86400.000000    146703799
1467264083.815462       C4jfqvVzuapDS69dz      255.255.255.255 68      192.X.X.X     67      XX:XX:XX:XX:XX:XX       192.X.X.X    86400.000000    146703799
1467264083.815462       C4jfqvVzuapDS69dz      255.255.255.255 68      192.X.X.X     67      XX:XX:XX:XX:XX:XX       192.X.X.X    86400.000000    146703799

So what I want is a fusion between dhcp.log and know-devices.log to know to each devices their IP and MAC address.

I think bro must monitor ARP Request/Response to an output log file like this :

ts                                     string (Mac Addr)              string (hostname)                        string (IP Addr)
1467260401.707446       XX:XX:XX:XX:XX:XX        Android-XXXXXXXXXXX            X.X.X.X

Or maybe anyone has another solution ?

Thank you for your help.

Maxime Lambert

Seth_Hall1 · June 30, 2016, 2:28pm

This a feature in the next release of Bro. If you use git master, you can load the "policy/protocols/conn/mac-logging.bro" script and it will add MAC address fields to your conn log.

.Seth

Topic		Replies	Views
about Zeek	1	79	May 6, 2022
source ip and destination ip have been swaped in bro logs Zeek	3	76	May 6, 2022
dhcp_host_name field Zeek	1	68	May 6, 2022
Hooking into source/destination heuristic Zeek	2	48	May 6, 2022
remote.bro problem? Zeek	2	85	May 6, 2022

IP <-> MAC Address

Related Topics