[
https://issues.apache.org/jira/browse/METRON-854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15969037#comment-15969037
]
Bas van de Lustgraaf edited comment on METRON-854 at 4/14/17 7:14 PM:
----------------------------------------------------------------------
I've already done some work on this. So far I've parsed the input to the
following output:
{noformat}
{
"mac_src_addr":"b8:ca:3a:67:95:8a",
"op":"BOOTPREQUEST",
"mac_dst_addr":"0:50:56:84:68:43",
"giaddr":"172.20.75.8",
"yiaddr":"0.0.0.0",
"source.type":"dhcpdump",
"client_identifier":"01:fc:f8:ae:e8:ef:db",
"ciaddr":"172.20.75.77",
"ip_dst_addr":"172.20.1.11",
"original_string":"TIME: 2017-01-16 17:39:36.581|INTERFACE: eth2|OP:1
BOOTPREQUEST|CIADDR: 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR:
172.20.75.8|CHADDR: fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION: 53
1 DHCP message type: 8 |DHCPINFORM|OPTION: 61 7 Client-identifier:
01:fc:f8:ae:e8:ef:db|OPTION: 12 5 Host name: Q1244|OPTION: 60 8 Vendor
class identifier: MSFT 5.0|OPTION: 55 13 Parameter Request List: 1 (Subnet
mask)|| 15 (Domainname)|| 3 (Routers)|| 6 (DNS server)|| 44 (NetBIOS name
server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 (Perform router
discovery)|| 33 (Static route)||121 (Classless Static Route)||249 (MSFT -
Classless route)|| 43 (Vendor specific info)||252 (MSFT - WinSock Proxy Auto
Detect)|||IP: 10.10.10.177 > 172.20.1.11 | b8:ca:3a:67:95:8a >
0:50:56:84:68:43",
"siaddr":"0.0.0.0",
"time":"2017-01-16 17:39:36.581",
"ip_src_addr":"10.10.10.177",
"host_name":"Q1244",
"timestamp":1484584776581
}
{noformat}
I'll see if I can commit the parser to my Metron fork and create a PR a.s.a.p.
was (Author: bas_vdl):
I've already done some work on this. So far I've parsed the input to the
following output:
{noformat}
{
"mac_src_addr":"b8:ca:3a:67:95:8a",
"op":"BOOTPREQUEST",
"mac_dst_addr":"0:50:56:84:68:43",
"giaddr":"172.20.75.8",
"yiaddr":"0.0.0.0",
"source.type":"dhcpdump",
"client_identifier":"01:fc:f8:ae:e8:ef:db",
"ciaddr":"172.20.75.77",
"ip_dst_addr":"172.20.1.11",
"original_string":"TIME: 2017-01-16 17:39:36.581|INTERFACE: eth2|OP:1
BOOTPREQUEST|CIADDR: 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR:
172.20.75.8|CHADDR: fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION: 53
1 DHCP message type: 8 |DHCPINFORM|OPTION: 61 7 Client-identifier:
01:fc:f8:ae:e8:ef:db|OPTION: 12 5 Host name: Q1244|OPTION: 60 8 Vendor
class identifier: MSFT 5.0|OPTION: 55 13 Parameter Request List: 1 (Subnet
mask)|| 15 (Domainname)|| 3 (Routers)|| 6 (DNS server)|| 44 (NetBIOS name
server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31 (Perform router
discovery)|| 33 (Static route)||121 (Classless Static Route)||249 (MSFT -
Classless route)|| 43 (Vendor specific info)||252 (MSFT - WinSock Proxy Auto
Detect)|||IP: 10.10.10.177 > 172.20.1.11 | b8:ca:3a:67:95:8a >
0:50:56:84:68:43",
"siaddr":"0.0.0.0",
"time":"2017-01-16 17:39:36.581",
"ip_src_addr":"100.100.100.177",
"host_name":"A1244",
"timestamp":1484584776581
}
{noformat}
I'll see if I can commit the parser to my Metron fork and create a PR a.s.a.p.
> Create DHCPDump Parser
> ----------------------
>
> Key: METRON-854
> URL: https://issues.apache.org/jira/browse/METRON-854
> Project: Metron
> Issue Type: New Feature
> Reporter: Bas van de Lustgraaf
> Priority: Minor
> Labels: parser
>
> Create a DHCPDump parser. This information can be used during enrichment to
> link ip-addresses to hostnames.
> {noformat}
> TIME: 2017-01-16 16:54:21.655|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR:
> 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR:
> fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION: 53 1 DHCP message
> type: 8 |DHCPINFORM|OPTION: 61 7 Client-identifier:
> 01:fc:f8:ae:e8:ef:db|OPTION: 12 5 Host name: Q1244|OPTION: 60 8 Vendor
> class identifier: MSFT 5.0|OPTION: 55 13 Parameter Request List: 1
> (Subnet mask)|| 15 (Domainname)|| 3 (Routers)|| 6 (DNS server)|| 44
> (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31
> (Perform router discovery)|| 33 (Static route)||121 (Classless Static
> Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT -
> WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.11 |
> b8:ca:3a:67:95:8a > 0:50:56:84:68:43
> TIME: 2017-01-16 17:13:14.548|INTERFACE: eth2|OP:1 BOOTPREQUEST|CIADDR:
> 172.20.75.77|YIADDR: 0.0.0.0|SIADDR: 0.0.0.0|GIADDR: 172.20.75.8|CHADDR:
> fc:f8:ae:e8:ef:db:00:00:00:00:00:00:00:00:00:00|OPTION: 53 1 DHCP message
> type: 8 |DHCPINFORM|OPTION: 61 7 Client-identifier:
> 01:fc:f8:ae:e8:ef:db|OPTION: 12 5 Host name: Q1244|OPTION: 60 8 Vendor
> class identifier: MSFT 5.0|OPTION: 55 13 Parameter Request List: 1
> (Subnet mask)|| 15 (Domainname)|| 3 (Routers)|| 6 (DNS server)|| 44
> (NetBIOS name server)|| 46 (NetBIOS node type)|| 47 (NetBIOS scope)|| 31
> (Perform router discovery)|| 33 (Static route)||121 (Classless Static
> Route)||249 (MSFT - Classless route)|| 43 (Vendor specific info)||252 (MSFT -
> WinSock Proxy Auto Detect)|||IP: 10.10.10.177 > 172.20.1.10 |
> b8:ca:3a:67:95:8a > 0:50:56:b9:28:ac
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
