-
Notifications
You must be signed in to change notification settings - Fork 23
/
roam.bro
45 lines (34 loc) · 1.09 KB
/
roam.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
module Roam;
export
{
# Time after which observed MAC to IP mappings (and vice versa) expire.
const alias_expiration = 1 day &redef;
global ip_to_mac: table[addr] of string
&read_expire = alias_expiration &synchronized;
global mac_to_ip: table[string] of set[addr]
&read_expire = alias_expiration &synchronized;
}
# Collect IP-to-MAC mappings and vice versa from DHCP ACKs.
event DHCP::dhcp_ack(c: connection, msg: dhcp_msg, mask: addr,
router: dhcp_router_list, lease: interval, serv_addr: addr)
{
local ip = msg$yiaddr;
local mac = msg$h_addr;
if (ip !in ip_to_mac)
ip_to_mac[ip] = mac;
if (mac !in mac_to_ip)
mac_to_ip[mac] = set() &mergeable;
add mac_to_ip[mac][ip];
}
# Collect IP-to-MAC mappings and vice versa from ARP replies.
event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
TPA: addr, THA: string)
{
local ip = SPA;
local mac = mac_src;
if (ip !in ip_to_mac)
ip_to_mac[ip] = mac;
if (mac !in mac_to_ip)
mac_to_ip[mac] = set() &mergeable;
add mac_to_ip[mac][ip];
}