base/bif/plugins/Bro_ARP.events.bif.bro¶
-
GLOBAL¶
| Namespace: | GLOBAL |
|---|---|
| Source File: | /scripts/base/bif/plugins/Bro_ARP.events.bif.bro |
Summary¶
Detailed Interface¶
Events¶
-
arp_reply¶ Type: event(mac_src:string, mac_dst:string, SPA:addr, SHA:string, TPA:addr, THA:string)Generated for ARP replies.
See Wikipedia for more information about the ARP protocol.
Mac_src: The reply’s source MAC address. Mac_dst: The reply’s destination MAC address. SPA: The sender protocol address. SHA: The sender hardware address. TPA: The target protocol address. THA: The target hardware address. See also:
arp_request,bad_arp
-
arp_request¶ Type: event(mac_src:string, mac_dst:string, SPA:addr, SHA:string, TPA:addr, THA:string)Generated for ARP requests.
See Wikipedia for more information about the ARP protocol.
Mac_src: The request’s source MAC address. Mac_dst: The request’s destination MAC address. SPA: The sender protocol address. SHA: The sender hardware address. TPA: The target protocol address. THA: The target hardware address.
-
bad_arp¶ Type: event(SPA:addr, SHA:string, TPA:addr, THA:string, explanation:string)Generated for ARP packets that Bro cannot interpret. Examples are packets with non-standard hardware address formats or hardware addresses that do not match the originator of the packet.
SPA: The sender protocol address. SHA: The sender hardware address. TPA: The target protocol address. THA: The target hardware address. Explanation: A short description of why the ARP packet is considered “bad”. See also:
arp_reply,arp_requestTodo
Bro’s current default configuration does not activate the protocol analyzer that generates this event; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature.
Copyright 2016, The Bro Project.
Last updated on December 19, 2018.
Created using Sphinx 1.8.2.