[netsa-tools-discuss] MAC Address

Mark Thomas mthomas at cert.org
Wed Oct 21 13:54:34 EDT 2015


The correct and difficult answer is to

* add two new fields to the SiLK Flow record and write the macros
  and functions required to get and set those fields
  (src/libsilk/rwrec.h)

* modify the IPFIX to SiLK flow record conversion code to populate
  those two fields (src/libflowsource/skipfix.c)

* ensure those fields are probably stored into and read from SiLK
  Flow files (src/libsilk/rwipv6routingio.c)

* ensure the tools you care about (rwfilter, rwcut, rwuniq, ...)
  know how to work with those fields (primary the application
  directories, but also files in src/libsilk).


A quicker and dirtier answer is to hijack the next-hop IP field on
the SiLK Flow record and store the MAC addresses in there.  For this
solution, you only need to modify the IPFIX to SiLK Flow record
conversion code.

Change the code in skipfix.c near line 1980 so that each SiLK Flow
record is always created as if it contains IPv6 addresses.

Change the line that sets the "NhIPv6" field of a SiLK flow record
to use a 16-byte array comprised of the source and destination MAC
addresses.

Whenever you need to access the MAC addresses from the SiLK tools,
use the next hop IP field.

-Mark


-----Original Message-----
From: Clifford Kemp <ckemp at irsc.edu>
Date: Tue, 20 Oct 2015 15:27:02 -0400
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] MAC Address

I am researching (Ph.D.) various network attacks using data mining
to identify patterns for these attacks.  I am currently looking at
arp poisoning leading to man-in-the middle attacks and would like to
include source and destination MAC addresses in my flow records as
two of the fields.

What is the best approach to do this?

Thank you,

Cliff Kemp, GCED
Instructor
Advanced Technology Division
Computer Science Department
Indian River State College


More information about the netsa-tools-discuss mailing list