[jira] [Commented] (METRON-854) Create DHCPDump Parser

Tue, 16 May 2017 05:53:50 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16012288#comment-16012288
 ] 

ASF GitHub Bot commented on METRON-854:
---------------------------------------

Github user nickwallen commented on the issue:

    https://github.com/apache/metron/pull/531
  
    > If i'm correctly informed by the docs, bro will give you the IP and MAC 
relation, which differs from DHCPDump which captures IP and Hostname relations. 
Giving context to an IP by adding the Hostname looks more promising...
    
    I am a little confused by what you are looking for though.  But maybe I am 
just misunderstanding and need more coffee.
    
    The purpose of DHCP is to hand out an IP that typically gets associated 
with a MAC address.  That's the pairing I would be interested in from DHCP.  
[Bro can help with 
this.](https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html)
    
    If you are looking for IP to hostname, then I would think you would be 
interested in DNS.  [Bro can also help with 
this.](https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html)
    
    



> Create DHCPDump Parser
> ----------------------
>
>                 Key: METRON-854
>                 URL: https://issues.apache.org/jira/browse/METRON-854
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Bas van de Lustgraaf
>            Priority: Minor
>              Labels: parser
>
> Create a DHCPDump parser. This information can be used during enrichment to 
> link ip-addresses to hostnames.
> {noformat}
> TIME: 2017-01-16 16:54:21.655|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR: 
> 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR: 
> fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION:  53   1 DHCP message 
> type: 8 |DHCPINFORM|OPTION:  61   7 Client-identifier: 
> 01:fc:f8:ae:e8:ef:db|OPTION:  12   5 Host name: Q1244|OPTION:  60   8 Vendor 
> class identifier: MSFT 5.0|OPTION:  55  13 Parameter Request List:   1 
> (Subnet mask)|| 15 (Domainname)||  3 (Routers)||  6 (DNS server)|| 44 
> (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 
> (Perform router discovery)|| 33 (Static route)||121 (Classless Static 
> Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT - 
> WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.11 | 
> b8:ca:3a:67:95:8a > 0:50:56:84:68:43
> TIME: 2017-01-16 17:13:14.548|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR: 
> 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR: 
> fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION:  53   1 DHCP message 
> type: 8 |DHCPINFORM|OPTION:  61   7 Client-identifier: 
> 01:fc:f8:ae:e8:ef:db|OPTION:  12   5 Host name: Q1244|OPTION:  60   8 Vendor 
> class identifier: MSFT 5.0|OPTION:  55  13 Parameter Request List:   1 
> (Subnet mask)|| 15 (Domainname)||  3 (Routers)||  6 (DNS server)|| 44 
> (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 
> (Perform router discovery)|| 33 (Static route)||121 (Classless Static 
> Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT - 
> WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.10 | 
> b8:ca:3a:67:95:8a > 0:50:56:b9:28:ac
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to