"client_id":"54:ee:75:51:e0:66",
"dns_servers":["192.168.1.50","192.168.1.49"]
}
+
+Event type: ARP
+---------------
+
+Fields
+~~~~~~
+
+* "hw_type": network link protocol type
+* "proto_type": internetwork protocol for which the request is intended
+* "opcode": operation that the sender is performing (e.g. request, response)
+* "src_mac": source MAC address
+* "src_ip": source IP address
+* "dest_mac": destination MAC address
+* "dest_ip": destination IP address
+
+Examples
+~~~~~~~~
+
+Example of ARP logging: request and response
+
+::
+
+ "arp": {
+ "hw_type": "ethernet",
+ "proto_type": "ipv4",
+ "opcode": "request",
+ "src_mac": "00:1a:6b:6c:0c:cc",
+ "src_ip": "10.10.10.2",
+ "dest_mac": "00:00:00:00:00:00",
+ "dest_ip": "10.10.10.1"
+ }
+
+::
+
+ "arp": {
+ "hw_type": "ethernet",
+ "proto_type": "ipv4",
+ "opcode": "reply",
+ "src_mac": "00:1a:6b:6c:0c:cc",
+ "src_ip": "10.10.10.2",
+ "dest_mac": "00:1d:09:f0:92:ab",
+ "dest_ip": "10.10.10.1"
+ }
+
By using ``custom`` it is possible to select which TLS fields to log.
+ARP
+~~~
+
+ARP records are logged as one entry for the request, and one entry for
+the response.
+
+YAML::
+
+ - arp:
+ enabled: no
+
+The logger is disabled by default since ARP can generate a large
+number of events.
+
Drops
~~~~~
- SDP parser and logger have been introduced.
Due to SDP being encapsulated within other protocols, such as SIP, they cannot be directly enabled or disabled.
Instead, both the SDP parser and logger depend on being invoked by another parser (or logger).
+- ARP decoder and logger have been introduced.
+ Since ARP can be quite verbose and produce many events, the logger is disabled by default.
Upgrading 6.0 to 7.0
--------------------
projects / thirdparty / suricata.git / commitdiff
