Add MAC addresses to connection record.

c$eth_src and c$eth_dst now contain the Ethernet address if available. A new script protocols/conn/mac-logging.bro adds these to conn.log when loaded.
2025-10-14 04:28:20 +00:00 · 2016-05-29 13:27:21 -07:00 · 2016-05-29 13:27:21 -07:00 · 57aef6d49f
commit 57aef6d49f
parent 35686fb93a
20 changed files with 486 additions and 321 deletions
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@ -44,6 +44,8 @@ void Packet::Init(int arg_link_type, struct timeval *arg_ts, uint32 arg_caplen,
 	eth_type = 0;
 	vlan = 0;
 	inner_vlan = 0;
+	bzero(eth_src, sizeof(eth_src));
+	bzero(eth_dst, sizeof(eth_dst));

 	l2_valid = false;

@ -136,8 +138,12 @@ void Packet::ProcessLayer2()
 		{
 		// Get protocol being carried from the ethernet frame.
 		int protocol = (pdata[12] << 8) + pdata[13];
-		pdata += GetLinkHeaderSize(link_type);
+
 		eth_type = protocol;
+		memcpy(eth_dst, pdata, 6);
+		memcpy(eth_src, pdata + 6, 6);
+
+		pdata += GetLinkHeaderSize(link_type);

 		switch ( protocol )
 			{
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@ -1,6 +1,8 @@
 #ifndef packet_h
 #define packet_h

+#include <netinet/ether.h>
+
 #include "Desc.h"
 #include "IP.h"
 #include "NetVar.h"
@ -50,7 +52,8 @@ public:
 	 */
 	Packet(int link_type, struct timeval *ts, uint32 caplen,
 	       uint32 len, const u_char *data, int copy = false,
-	       std::string tag = std::string("")) : data(0)
+	       std::string tag = std::string(""))
+	           : data(0), eth_src(), eth_dst()
 	       {
 	       Init(link_type, ts, caplen, len, data, copy, tag);
 	       }
@ -58,7 +61,7 @@ public:
 	/**
 	 * Default constructor. For internal use only.
 	 */
-	Packet() : data(0)
+	Packet() : data(0), eth_src(), eth_dst()
 		{
 		struct timeval ts = {0, 0};
 		Init(0, &ts, 0, 0, 0);
@ -167,19 +170,31 @@ public:
 	 * Layer 3 protocol identified (if any). Valid iff Layer2Valid()
 	 * returns true.
 	 */
-	Layer3Proto l3_proto;		///
+	Layer3Proto l3_proto;

 	/**
 	 * If layer 2 is Ethernet, innermost ethertype field. Valid iff
 	 * Layer2Valid() returns true.
 	 */
-	uint32 eth_type;		///
+	uint32 eth_type;
+
+	/**
+	 * If layer 2 is Ethernet, the source MAC address. Valid iff
+	 * Layer2Valid() returns true.
+	 */
+	ether_addr eth_src[6];
+
+	/**
+	 * If layer 2 is Ethernet, the destiantion MAC address. Valid iff
+	 * Layer2Valid() returns true.
+	 */
+	ether_addr eth_dst[6];

 	/**
 	 * (Outermost) VLAN tag if any, else 0. Valid iff Layer2Valid()
 	 * returns true.
 	 */
-	uint32 vlan;			///
+	uint32 vlan;

 	/**
 	 * (Innermost) VLAN tag if any, else 0. Valid iff Layer2Valid()