policy/misc/known-devices.bro

Known

This script provides infrastructure for logging devices for which Bro has been able to determine the MAC address, and it logs them once per day (by default). The log that is output provides an easy way to determine a count of the devices in use on a network per day.

Note

This script will not generate any logs on its own, it needs to be supplied with information from elsewhere, such as policy/protocols/dhcp/known-devices-and-hostnames.bro.

Namespace:Known Source File:/scripts/policy/misc/known-devices.bro

Summary

State Variables

Known::known_devices: set &create_expire = 1.0 day &synchronized &redef

The set of all known MAC addresses.

Types

Known::DevicesInfo: record

The record type which contains the column fields of the known-devices log.

Redefinitions

Log::ID: enum

The known-hosts logging stream identifier.

Events

Known::log_known_devices: event

An event that can be handled to access the Known::DevicesInfo record as it is sent on to the logging framework.

Detailed Interface

State Variables

Known::known_devices

Type:set [string] Attributes:&create_expire = 1.0 day &synchronized &redef Default:{}

The set of all known MAC addresses. It can accessed from other scripts to add, and check for, addresses seen in use.

We maintain each entry for 24 hours by default so that the existence of individual addresses is logged each day.

Types

Known::DevicesInfo

Type:

record

ts: time &log

The timestamp at which the host was detected.

mac: string &log

The MAC address that was detected.

dhcp_host_name: string &log &optional

(present if policy/protocols/dhcp/known-devices-and-hostnames.bro is loaded)

The value of the DHCP host name option, if seen.

The record type which contains the column fields of the known-devices log.

Events

Known::log_known_devices

Type:event (rec: Known::DevicesInfo)

An event that can be handled to access the Known::DevicesInfo record as it is sent on to the logging framework.