Is there a way to obtain the source and/or destination mac address from
a connection record? I've been looking through the scripts and BIFs, but
am not seeing anything. I'm wondering it I missed something. The way
it's looking right now, I'll have to use an ARP script (which I posted
to the list in November) or use the get_current_packet() to extract the
appropriate offsets.
You didn't miss anything. There is actually a very good reason that the MAC addresses aren't available. Ethernet has no notion of a connection so a single connection could involve any number of IP addresses. The connection you are looking into may not even be over ethernet so no MAC addresses would be available. In most "normal" cases of border sniffing you will only see the MAC addresses of two routers anyway.
That said... you could probably make it work by writing a script that uses the ARP analyzer to create MAC->IP address mappings and then looking up the MAC address that is using a particular IP address. You could even extend the conn.log file with orig_mac and resp_mac fields so that the MAC addresses would be located there. I don't think that's something we would ship with Bro directly due to how deployment specific it would be (would work great on LAN span ports, but for border sniffing it would be useless). It would be nice to have a script like that for our contributed scripts repository though!
.Seth
We have a script in the Bro scripts repository that collects IP to MAC
mappings via DHCP ACKs and ARP replies:
http://git.bro-ids.org/bro-scripts.git/blob/HEAD:/roam.bro
Matthias
** Seth Hall <seth@icir.org> [2012-01-31 21:54:45 -0500] **
> Is there a way to obtain the source and/or destination mac address from
> a connection record? I've been looking through the scripts and BIFs, but
> am not seeing anything. I'm wondering it I missed something.You didn't miss anything. There is actually a very good reason that
the MAC addresses aren't available. Ethernet has no notion of a
connection so a single connection could involve any number of IP
addresses. The connection you are looking into may not even be over
ethernet so no MAC addresses would be available. In most "normal"
cases of border sniffing you will only see the MAC addresses of two
routers anyway.
I figured that was the reason, but never hurts to ask.
That said... you could probably make it work by writing a script that
uses the ARP analyzer to create MAC->IP address mappings and then
looking up the MAC address that is using a particular IP address. You
could even extend the conn.log file with orig_mac and resp_mac fields
so that the MAC addresses would be located there. I don't think
that's something we would ship with Bro directly due to how deployment
specific it would be (would work great on LAN span ports, but for
border sniffing it would be useless). It would be nice to have a
script like that for our contributed scripts repository though!
For the reasons that you just said, I'm hesitant to add mac addresses to
the conn.log because it won't make much sense for 90% of all the traffic.
However, as mentioned offline, I'm re-writing the dhcp script from
pre-2.0 and identifying possible relays will be much easier with the ip
to mac addr mappings. So, with that said, I'll just use the arp script
that I previously provided.
Thanks for the feedback.