Chapter 6 What is the MAC address of the system being monitored?

6.1 Objects in memory/packages loaded from preceding chapters

Objects available:

  • read_zeek_log() — helper function to read Zeek log files (Chapter 3)
  • packets — data frame of PCAP packet data (Chapter 4)
  • conn — Zeek conn.log data (Chapter 5)


  • {tidyverse}

6.2 Question Setup

In this quest, we’ve been tasked with identifying the MAC address of the system being monitored. (NOTE: From Chapter 4 we know the system being monitored is These are the addresses assigned to the network interface hardware and can be useful in identifying system types. While these addresses can be forged, they are still useful (especially so if an analysis can determine that one or more MAC addresses were indeed spoofed) and it is good to have an understanding of how to work with them in an analysis.

6.3 Solving the quest with tshark

We can limit the output fields tshark displays via the -Tfields option and specifying the fields we want by adding -e FIELD-NAME options.

The MAC address is the eth.src field and we can use an additional display filter — frame.number — to limit the output to the first frame of the subset we’re filtering on:

system("tshark -r maze/maze.pcapng -nn -e ip.src -e eth.src -Tfields '(ip.src == and (frame.number == 1)'", intern=TRUE)
## [1] "\tc8:09:a8:57:47:93"

6.4 Solving the quest with R and Zeek’s conn.log

Remember back when we made sure that Zeek included MAC addresses when it generated log files? This question is one reason we did that. The conn data frame has orig_l2_addr and resp_l2_addr columns for the source and destination MAC addresses.

We can perform another, similar filter to find out the MAC address for the target:

conn %>% 
  filter(id.orig_h == "") %>% 
## # A tibble: 1 x 1
##   orig_l2_addr     
##   <chr>            
## 1 c8:09:a8:57:47:93
conn |>
    id.orig_h == "", # our target
    select = orig_l2_addr,       # select the MAC address field
    drop = TRUE                  # reduce the output to a vector
  ) %>%
## [1] "c8:09:a8:57:47:93"