View MAC address #14384
Replies: 2 comments 6 replies
-
|
I double check zeek.conn log and the mac-address field is not there.. What is your use-case for wanting to see mac-address? You know depending on your placement of network taps you will not see the "actual" source/destination mac-address.. For example, typically you place a network tap at the egress choke section of your network between your router and firewall... With that you will only see the destination-mac of the next-hop firewall and source-mac of your router.. |
Beta Was this translation helpful? Give feedback.
-
|
Also see the ARP section of the documentation: |
Beta Was this translation helpful? Give feedback.
-
|
The ARP Visibility seems like an interesting concept but all the tests I do do not give the desired answer.
Or:
|
Beta Was this translation helpful? Give feedback.
-
|
Did you follow the steps in the documentation? Did you go to your Zeek excluded configuration as shown in the Zeek configuration section, remove ecat_arp_info from the list, and save the configuration? Did you wait 15 minutes for the configuration to take effect or force it immediately? |
Beta Was this translation helpful? Give feedback.
-
|
I did it in a wrong way, now it's working. Now it would be convenient for me to have the hostnames too, should I create another thread? |
Beta Was this translation helpful? Give feedback.
-
Yes, please start a new discussion with appropriate title. |
Beta Was this translation helpful? Give feedback.
-
|
The only reliable source for MAC Addresses would be the dhcp log. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm starting to use Security-Onion (2.4.130) and I wanted to ask you if, and if so how, it is possible to view, in addition to the IPs, also the MAC addresses, especially in the Alerts windows.
Beta Was this translation helpful? Give feedback.
All reactions