Namespace: | GLOBAL |
---|---|
Source File: | /scripts/base/bif/plugins/Bro_ARP.events.bif.bro |
Type: | event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) |
---|
Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
Mac_src: | The reply’s source MAC address. |
---|---|
Mac_dst: | The reply’s destination MAC address. |
SPA: | The sender protocol address. |
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
See also: arp_request, bad_arp
Type: | event (mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string) |
---|
Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
Mac_src: | The request’s source MAC address. |
---|---|
Mac_dst: | The request’s destination MAC address. |
SPA: | The sender protocol address. |
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
Type: | event (SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string) |
---|
Generated for ARP packets that Bro cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
SPA: | The sender protocol address. |
---|---|
SHA: | The sender hardware address. |
TPA: | The target protocol address. |
THA: | The target hardware address. |
Explanation: | A short description of why the ARP packet is considered “bad”. |
See also: arp_reply, arp_request
Todo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.