Snort mailing list archives
Re: Barnyard2/Base MAC Address from PCAP
From: wkitty42 () windstream net
Date: Wed, 3 Jan 2018 10:36:06 -0500
On 01/03/2018 09:18 AM, Gordon Wallum wrote:
Looking to pull layer 2 information from Barnyard2/BASE PCAP fileThe mac addresses are just showing as fake place holders: de:ad:ca:fe:ba:be and 11:22:33:44:55:66Anyway to capture this information form base without having to go into the unified2 log?
i don't know about your problem but remember that MACs are only good for the 1st hop... they are changed as the packet travels through each intermediate device... what you receive that originates outside may not have MAC info if you're more than one hop inside your perimeter... you're definitely one hop because of your router... i see similar, too, when working with PPP connections, for example...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list unless*
*a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Barnyard2/Base MAC Address from PCAP Gordon Wallum (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP wkitty42 (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP Gordon Wallum (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP wkitty42 (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP Gordon Wallum (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP wkitty42 (Jan 03)