[Snort-users] Snort-users Digest, Vol 8, Issue 4

TJ ty.jackson at gmail.com
Wed Jan 3 13:41:23 EST 2018


Unsubscribe please

-----Original Message-----
From: Snort-users [mailto:snort-users-bounces at lists.snort.org] On Behalf Of
snort-users-request at lists.snort.org
Sent: Wednesday, January 03, 2018 9:00 AM
To: snort-users at lists.snort.org
Subject: Snort-users Digest, Vol 8, Issue 4

Send Snort-users mailing list submissions to
	snort-users at lists.snort.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.snort.org/mailman/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.snort.org

You can reach the person managing the list at
	snort-users-owner at lists.snort.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim
your response.


Today's Topics:

   1. Re: Barnyard2/Base MAC Address from PCAP (wkitty42 at windstream.net)


----------------------------------------------------------------------

Message: 1
Date: Wed, 3 Jan 2018 10:36:06 -0500
From: wkitty42 at windstream.net
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] Barnyard2/Base MAC Address from PCAP
Message-ID: <bdecfc6c-37d6-36dd-9306-4373e0136ca4 at windstream.net>
Content-Type: text/plain; charset=utf-8; format=flowed

On 01/03/2018 09:18 AM, Gordon Wallum wrote:
> Looking to pull layer 2 information from Barnyard2/BASE PCAP file
> 
> The mac addresses are just showing as fake place holders: 
> de:ad:ca:fe:ba:be and
> 11:22:33:44:55:66
> 
> Anyway to capture this information form base without having to go into 
> the
> unified2 log?


i don't know about your problem but remember that MACs are only good for the
1st hop... they are changed as the packet travels through each intermediate
device... what you receive that originates outside may not have MAC info if
you're more than one hop inside your perimeter... you're definitely one hop
because of your router... i see similar, too, when working with PPP
connections, for example...


--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


------------------------------

Subject: Digest Footer

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-users

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette


------------------------------

End of Snort-users Digest, Vol 8, Issue 4
*****************************************



More information about the Snort-users mailing list