Snort mailing list archives

Re: Snort-users Digest, Vol 8, Issue 4

From: TJ via Snort-users <snort-users () lists snort org>
Date: Wed, 3 Jan 2018 10:41:23 -0800

Unsubscribe please

-----Original Message-----
From: Snort-users [mailto:snort-users-bounces () lists snort org] On Behalf Of
snort-users-request () lists snort org
Sent: Wednesday, January 03, 2018 9:00 AM
To: snort-users () lists snort org
Subject: Snort-users Digest, Vol 8, Issue 4

Send Snort-users mailing list submissions to
        snort-users () lists snort org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.snort.org/mailman/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists snort org

You can reach the person managing the list at
        snort-users-owner () lists snort org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim
your response.


Today's Topics:

   1. Re: Barnyard2/Base MAC Address from PCAP (wkitty42 () windstream net)


----------------------------------------------------------------------

Message: 1
Date: Wed, 3 Jan 2018 10:36:06 -0500
From: wkitty42 () windstream net
To: snort-users () lists snort org
Subject: Re: [Snort-users] Barnyard2/Base MAC Address from PCAP
Message-ID: <bdecfc6c-37d6-36dd-9306-4373e0136ca4 () windstream net>
Content-Type: text/plain; charset=utf-8; format=flowed

On 01/03/2018 09:18 AM, Gordon Wallum wrote:

Looking to pull layer 2 information from Barnyard2/BASE PCAP file

The mac addresses are just showing as fake place holders: 
de:ad:ca:fe:ba:be and
11:22:33:44:55:66

Anyway to capture this information form base without having to go into 
the
unified2 log?



i don't know about your problem but remember that MACs are only good for the
1st hop... they are changed as the packet travels through each intermediate
device... what you receive that originates outside may not have MAC info if
you're more than one hop inside your perimeter... you're definitely one hop
because of your router... i see similar, too, when working with PPP
connections, for example...


--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*


------------------------------

Subject: Digest Footer

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
https://lists.snort.org/mailman/listinfo/snort-users

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette


------------------------------

End of Snort-users Digest, Vol 8, Issue 4
*****************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Snort-users Digest, Vol 8, Issue 4 TJ via Snort-users (Jan 03)