Using bro to track MAC addresses instead of IPs

The connection record includes the IP/port pair. Is there a way to include MAC addresses?

Best Regards,

Earl Eiland,

Sr. Cyber Security Engineer,

Emerging Technologies, root9B,

San Antonio, Texas

Wouldn’t MAC addresses be of less value, since Bro would see the MAC address of the last device the packet been through before reaching Bro? Or May be your attempting to achieve something else.


Our intent is to monitor observed layer 2 traffic.

I would think arpwatch might be a better fit for that: