[Bro] Questions about Bro's DNS Parser
vern at icir.org
Sat Feb 6 21:03:00 PST 2010
> Anyhow, I have attached a sample capture from the trace file, which
> contains DNS packets with returned errors (some response packets). I
> also took a look at dns.bro, if I'm not mistaken the parser does not
> have any error code interpreting feature, it seems all to be group
> into Weird::WEIRD_FILE.
Do you mean errors based on the analyzer's parsing failing, or errors
indicated via the DNS protocol? The latter are logged in the DNS log file.
For the former, when I run on the file all I get in the weird file is IP
checksums. If I use -C to ignore these then I get a bunch of DNS log file
output that seems reasonable, so I'm not immediately seeing the problem.
More information about the Bro