mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
50cf694aae
The link-layer addresses are now part of the connection endpoints following the originator-responder-pattern. The addresses are printed with leading zeros. Additionally link-layer addresses are also extracted for 802.11 plus RadioTap.
24 lines
722 B
Text
24 lines
722 B
Text
##! This script adds link-layer address (MAC) information to the connection logs
|
|
|
|
@load base/protocols/conn
|
|
|
|
module Conn;
|
|
|
|
redef record Info += {
|
|
## Link-layer address of the originator, if available.
|
|
orig_l2_addr: string &log &optional;
|
|
## Link-layer address of the responder, if available.
|
|
resp_l2_addr: string &log &optional;
|
|
};
|
|
|
|
# Add the link-layer addresses to the Conn::Info structure after the connection
|
|
# has been removed. This ensures it's only done once, and is done before the
|
|
# connection information is written to the log.
|
|
event connection_state_remove(c: connection)
|
|
{
|
|
if ( c$orig?$l2_addr )
|
|
c$conn$orig_l2_addr = c$orig$l2_addr;
|
|
|
|
if ( c$resp?$l2_addr )
|
|
c$conn$resp_l2_addr = c$resp$l2_addr;
|
|
}
|