Using bro to track MAC addresses instead of IPs

Earl_Eiland · July 31, 2015, 8:32pm

The connection record includes the IP/port pair. Is there a way to include MAC addresses?

Best Regards,

Earl Eiland,

Sr. Cyber Security Engineer,

Emerging Technologies, root9B,

San Antonio, Texas

M_P · July 31, 2015, 8:47pm

Wouldn’t MAC addresses be of less value, since Bro would see the MAC address of the last device the packet been through before reaching Bro? Or May be your attempting to achieve something else.

MP

Earl_Eiland · July 31, 2015, 8:56pm

Our intent is to monitor observed layer 2 traffic.

James_inthe_box · July 31, 2015, 9:00pm

I would think arpwatch might be a better fit for that:

http://www.tecmint.com/monitor-ethernet-activity-in-linux/

James

Topic		Replies	Views
Layer 2 Info Zeek	3	79	May 6, 2022
Implementing MAC Address Label in Logs Zeek	2	98	May 6, 2022
BRO IDS Zeek	6	136	May 6, 2022
Other log files besides conn.log Zeek	5	100	May 6, 2022
MAC Address In Logs Zeek	9	936	May 6, 2022

Using bro to track MAC addresses instead of IPs

Related topics