[Snort-users] Barnyard2/Base MAC Address from PCAP

Gordon Wallum gordon_wallum at otowfl.com
Wed Jan 3 15:22:53 EST 2018

Thanks for the info wkitty

I can find the MAC addresses in the Snort unified2 log, but when barnyard2 inputs the logs into SQL it doesn’t store the layer2 MAC data and instead uses a bogus hardcoded one

Is there any way to achieve this? I found an article explaining the same problem


Description of problem if unclear:
	Using snort in IDS mode with logs stored as snort.u2 (binary log)
	Using barnyard2 to transfer logs to SQL
	Using BASE to view SQL logs through HTML gui
	When I download the pcap data an alert from BASE the MAC addresses is not stored correctly

Thank you,

Gordon Wallum

Network Security Administrator
Information Technology Department

On Top of the World Communities & Related Entities
P 352.873.0848 x.7412   F 352.861.9569
9860 SW 84 Court, Suite D, Ocala, FL 34481

 Please consider the environment before printing this e-mail or other documents.

The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any. 

-----Original Message-----
From: Snort-users [mailto:snort-users-bounces at lists.snort.org] On Behalf Of wkitty42 at windstream.net
Sent: Wednesday, January 03, 2018 10:36 AM
To: snort-users at lists.snort.org
Subject: Re: [Snort-users] Barnyard2/Base MAC Address from PCAP

On 01/03/2018 09:18 AM, Gordon Wallum wrote:
> Looking to pull layer 2 information from Barnyard2/BASE PCAP file
> The mac addresses are just showing as fake place holders: 
> de:ad:ca:fe:ba:be and
> 11:22:33:44:55:66
> Anyway to capture this information form base without having to go into 
> the
> unified2 log?

i don't know about your problem but remember that MACs are only good for the 1st hop... they are changed as the packet travels through each intermediate device... what you receive that originates outside may not have MAC info if you're more than one hop inside your perimeter... you're definitely one hop because of your router... i see similar, too, when working with PPP connections, for example...

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.* _______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

More information about the Snort-users mailing list