[jira] [Commented] (METRON-854) Create DHCPDump Parser

Tue, 25 Apr 2017 05:57:17 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15982843#comment-15982843
 ] 

ASF GitHub Bot commented on METRON-854:
---------------------------------------

Github user basvdl commented on the issue:

    https://github.com/apache/incubator-metron/pull/531
  
    I agree that using the original format is the preferred. Are we able to 
ship and parse the original multi line format and put the separate lines back 
together before or during the Metron parsing stage?
    
    To give you an idea of the output format of the original DHCPDump available 
on Ubuntu (https://launchpad.net/ubuntu/+source/dhcpdump/1.8-2).
    
    
[dhcpdump.log.txt](https://github.com/apache/incubator-metron/files/955083/dhcpdump.log.txt)



> Create DHCPDump Parser
> ----------------------
>
>                 Key: METRON-854
>                 URL: https://issues.apache.org/jira/browse/METRON-854
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Bas van de Lustgraaf
>            Priority: Minor
>              Labels: parser
>
> Create a DHCPDump parser. This information can be used during enrichment to 
> link ip-addresses to hostnames.
> {noformat}
> TIME: 2017-01-16 16:54:21.655|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR: 
> 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR: 
> fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION:  53   1 DHCP message 
> type: 8 |DHCPINFORM|OPTION:  61   7 Client-identifier: 
> 01:fc:f8:ae:e8:ef:db|OPTION:  12   5 Host name: Q1244|OPTION:  60   8 Vendor 
> class identifier: MSFT 5.0|OPTION:  55  13 Parameter Request List:   1 
> (Subnet mask)|| 15 (Domainname)||  3 (Routers)||  6 (DNS server)|| 44 
> (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 
> (Perform router discovery)|| 33 (Static route)||121 (Classless Static 
> Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT - 
> WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.11 | 
> b8:ca:3a:67:95:8a > 0:50:56:84:68:43
> TIME: 2017-01-16 17:13:14.548|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR: 
> 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR: 
> fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION:  53   1 DHCP message 
> type: 8 |DHCPINFORM|OPTION:  61   7 Client-identifier: 
> 01:fc:f8:ae:e8:ef:db|OPTION:  12   5 Host name: Q1244|OPTION:  60   8 Vendor 
> class identifier: MSFT 5.0|OPTION:  55  13 Parameter Request List:   1 
> (Subnet mask)|| 15 (Domainname)||  3 (Routers)||  6 (DNS server)|| 44 
> (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 
> (Perform router discovery)|| 33 (Static route)||121 (Classless Static 
> Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT - 
> WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.10 | 
> b8:ca:3a:67:95:8a > 0:50:56:b9:28:ac
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to