[Snort-users] Barnyard2/Base MAC Address from PCAP

wkitty42 at windstream.net wkitty42 at windstream.net
Wed Jan 3 10:36:06 EST 2018


On 01/03/2018 09:18 AM, Gordon Wallum wrote:
> Looking to pull layer 2 information from Barnyard2/BASE PCAP file
> 
> The mac addresses are just showing as fake place holders: de:ad:ca:fe:ba:be and 
> 11:22:33:44:55:66
> 
> Anyway to capture this information form base without having to go into the 
> unified2 log?


i don't know about your problem but remember that MACs are only good for the 1st 
hop... they are changed as the packet travels through each intermediate 
device... what you receive that originates outside may not have MAC info if 
you're more than one hop inside your perimeter... you're definitely one hop 
because of your router... i see similar, too, when working with PPP connections, 
for example...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


More information about the Snort-users mailing list