Moved link-layer addresses into endpoints.

The link-layer addresses are now part of the connection endpoints following the originator-responder-pattern. The addresses are printed with leading zeros. Additionally link-layer addresses are also extracted for 802.11 plus RadioTap.
2025-10-13 12:08:20 +00:00 · 2016-06-02 01:46:26 +02:00 · 2016-06-02 01:46:26 +02:00 · 50cf694aae
commit 50cf694aae
parent a2423f7d43
19 changed files with 470 additions and 442 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -329,6 +329,8 @@ type endpoint: record {
 	## The current IPv6 flow label that the connection endpoint is using.
 	## Always 0 if the connection is over IPv4.
 	flow_label: count;
+	## The link-layer address seen in the first packet (if available).
+	l2_addr: string &optional;
 };

 ## A connection. This is Bro's basic connection type describing IP- and
@ -370,14 +372,6 @@ type connection: record {

 	## The inner VLAN, if applicable for this connection.
 	inner_vlan: int &optional;
-
-	## The Ethernet MAC source addrees, if applicable for this connection.
-        ## The address is derived from the connection's first packet.
-	eth_src: string &optional;
-
-	## The destination Ethernet MAC addrees, if applicable for this connection.
-        ## The address is derived from the connection's first packet.
-	eth_dst: string &optional;
 };

 ## Default amount of time a file can be inactive before the file analysis