Chapter 6 What is the MAC address of the system being monitored?
6.1 Objects in memory/packages loaded from preceding chapters
Objects available:
read_zeek_log()— helper function to read Zeek log files (Chapter 3)packets— data frame of PCAP packet data (Chapter 4)conn— Zeekconn.logdata (Chapter 5)
Packages:
{tidyverse}
6.2 Question Setup
In this quest, we’ve been tasked with identifying the MAC address of the system being monitored. (NOTE: From Chapter 4 we know the system being monitored is 192.168.1.26). These are the addresses assigned to the network interface hardware and can be useful in identifying system types. While these addresses can be forged, they are still useful (especially so if an analysis can determine that one or more MAC addresses were indeed spoofed) and it is good to have an understanding of how to work with them in an analysis.
6.3 Solving the quest with tshark
We can limit the output fields tshark displays via the -Tfields option and specifying the fields we want by adding -e FIELD-NAME options.
The MAC address is the eth.src field and we can use an additional display filter — frame.number — to limit the output to the first frame of the subset we’re filtering on:
system("tshark -r maze/maze.pcapng -nn -e ip.src -e eth.src -Tfields '(ip.src == 192.168.1.26) and (frame.number == 1)'", intern=TRUE)## [1] "192.168.1.26\tc8:09:a8:57:47:93"6.4 Solving the quest with R and Zeek’s conn.log
Remember back when we made sure that Zeek included MAC addresses when it generated log files? This question is one reason we did that. The conn data frame has orig_l2_addr and resp_l2_addr columns for the source and destination MAC addresses.
We can perform another, similar filter to find out the MAC address for the target:
conn %>%
filter(id.orig_h == "192.168.1.26") %>%
distinct(orig_l2_addr)## # A tibble: 1 x 1
## orig_l2_addr
## <chr>
## 1 c8:09:a8:57:47:93conn |>
subset(
id.orig_h == "192.168.1.26", # our target
select = orig_l2_addr, # select the MAC address field
drop = TRUE # reduce the output to a vector
) %>%
unique()## [1] "c8:09:a8:57:47:93"