We recently added the MAC addresses to the event messages. The system gets the MAC addresses in two orthogonal ways:
- We sniff the MAC headers from the passive tap. If the MSS sees more than 5 IP addresses with the same MAC, it stops recording because it means you are mirroring the connection between the switch and the next routing hop (probably the firewall) where the MAC addresses are not available.
- We sniff DHCP lease messages when the IP is assigned dynamically. In order to do this, you probably need to instruct the switch to specifically mirror DHCP traffic in order for the sensor to process it. The sensor expects DHCP UDP traffic using the pcap expression udp and (port 68 or port 67).
Please contact us at firstname.lastname@example.org if you need help in setting up DHCP traffic monitoring.