[Bro] Questions about Bro's DNS Parser

daniela.miao at utoronto.ca daniela.miao at utoronto.ca
Sun Jan 24 20:17:57 PST 2010


Hey Seth,

Thanks for your help. However, I wasn't even aware of the binpac  
parser till you just mentioned it, so I think I am already using the  
hand written one.

Just in case, this is the command I'm using:

bro -r test.pcap dns

I believe this is correct?

Thanks,

Daniela

Quoting Seth Hall <hall.692 at osu.edu>:

>
> On Jan 24, 2010, at 5:15 PM, daniela.miao at utoronto.ca wrote:
>
>> However, I've run into some
>> problems with certain packets that contain DNS responses with errors.
>> I'm not sure what the exact problem is, but it seems that the bro
>> parser is having trouble recognizing all the returned error codes
>> (indicating "malformed packets", "no such name exists", "server
>> failure" etc.) I have attached a fragment of the log file to
>> illustrate my point, as you can see, all the responses containing
>> errors simply turn into "A requested domain name")
>
>
> Are you using the binpac based parser?  I was just running into trouble
> last night with error codes being returned incorrectly from the binpac
> parser.  The hand written parser was working fine for me though.
>
>   .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721







More information about the Bro mailing list