I am trying to set up a network tap between my router and devices to do some home monitoring stuff. Everything is working, I can see ingress and egress traffic being logged via Suricata and Zeek/Bro. The only issue is that in the logs, even though all the IPs are different with different hostnames, it's putting the same hostname for all devices like that of the mirrored traffic host (dell-optiplex).
Example: 192.168.0.10 - Dell-Optiplex-7040 <- All the mirrored traffic is going to this host where I have Suricata and ELK stack
192.168.0.1 - Router,
192.168.0.2 - mac-xyz-hostname,
192.168.0.3 - tv-hostname,
.
.
.
,192.168.0.20 - hostnameX
In my logs I see everything coming from Dell-Optiplex.
Interface - eth0 is in promiscuous mode which is listening to traffic on my Dell.
I tried editing the /etc/hosts file with custom entries but no luck!
In my router and on pi-hole I can see the different hostnames.
PS: I checked raw logs as well before being fed to Elasticsearch and Kibana, and I just see one hostname so its defintely not an issue with Elasticsearch/Kibana.
pi-hole DHCP screenshot
elasticsearch logs for hostnames screenshot
elasticsearch for ips screenshot
