[Bro] Questions about Bro's DNS Parser
daniela.miao at utoronto.ca
daniela.miao at utoronto.ca
Sat Feb 6 21:29:13 PST 2010
Hi Vern,
Thanks for your time. I was actually running into the ip checksum
errors before, but then I discovered the -C option.
The problem is, even with the -C option, some packets that have error
codes such as "Server Failure" or "No Such Name Exists" are not being
logged in the DNS log file. The log file only contains information
regarding packets that had no errors. This confuses me, since it
appears that dns-info.bro file contains information required for error
code deciphering.
A closer look at the dns log file as given right now reveals that
whenever there is a packet that contains an error, the parser simply
stalls, and prints out the query as is, instead of deciphering the
error code.
Any suggestions would be much appreciated, thank you very much,
Daniela
Quoting Vern Paxson <vern at icir.org>:
>> Anyhow, I have attached a sample capture from the trace file, which
>> contains DNS packets with returned errors (some response packets). I
>> also took a look at dns.bro, if I'm not mistaken the parser does not
>> have any error code interpreting feature, it seems all to be group
>> into Weird::WEIRD_FILE.
>
> Do you mean errors based on the analyzer's parsing failing, or errors
> indicated via the DNS protocol? The latter are logged in the DNS log file.
> For the former, when I run on the file all I get in the weird file is IP
> checksums. If I use -C to ignore these then I get a bunch of DNS log file
> output that seems reasonable, so I'm not immediately seeing the problem.
>
> Vern
>
More information about the Bro
mailing list