<div dir="ltr">Hi,<div><br></div><div>event dns_end(c: connection, msg: dns_msg)<br>{<br>print "dns_end: -------------------------------";<br>print c$orig, c$resp, c$id, c$dns;<br>print "dns_end: -------------------------------";<br>}<br></div><div><br></div><div>Output:</div><div>====================================================</div><div>Request: dns_end: -------------------------------</div><div>[size=32, state=1, <b>num_pkts=0, num_bytes_ip=0</b>, flow_label=0, l2_addr=00:e0:18:b1:0c:ad], [size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:c0:9f:32:41:8c]<br>
Request: dns_end: -------------------------------</div><div>==================================================== <br><br></div><div>==================================================== <br></div><div>Reply: dns_end: ------------------------------- <br></div><div>dns_end: -------------------------------<br>[size=32, state=1, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:e0:18:b1:0c:ad], [size=60, state=1, <b>num_pkts=0, num_bytes_ip=0</b>, flow_label=0, l2_addr=00:c0:9f:32:41:8c]<br>
Reply: dns_end: ------------------------------- <br></div><div>====================================================<br></div><div><br></div><div>When bro sees DNS request/reply, it raises dns_end() event for both the packets at the end. In the reply packet's DNS event I see flow stats info is 0 in c$orig and c$resp as highlighted.</div><div><br></div><div>Stats gets updated in connection record after dns_end() event raised????</div><div><br></div><div>I have a use case, where I want to gather DNS req/rep data with the flow stats, but I see dns object from connection record is deleted in the last dns_end() event inside dns main.bro file. I assume the reason of same 5 tuple being used for different DNS exchanges.</div><div><br></div><div>Regards,</div><div>Nabil</div></div>