[Bro] Questions about Bro's DNS Parser

daniela.miao at utoronto.ca daniela.miao at utoronto.ca
Sun Jan 24 14:15:47 PST 2010


Dear Mr. Paxton/Bro contributors,

My name is Daniela Miao, and I am currently a 3rd year Computer
Engineering Student at the University of Toronto. I have a couple of
questions regarding bro's current DNS parser, I hope this will not
take up too much of your time.

Being currently involved in a Bell Canada research project, I am
responsible for analyzing some DNS data traffic, captured in a pcap
file. I discovered Bro's DNS parser, which is rather robust, and
performs the exact operations that I need. However, I've run into some
problems with certain packets that contain DNS responses with errors.
I'm not sure what the exact problem is, but it seems that the bro
parser is having trouble recognizing all the returned error codes
(indicating "malformed packets", "no such name exists", "server
failure" etc.) I have attached a fragment of the log file to
illustrate my point, as you can see, all the responses containing
errors simply turn into "A requested domain name")

I suspect that I have to customize the parser a bit, so that it can
recognize all the error codes. However, since I'm not familiar with
the source code, I wanted to get some advice from you regarding this
problem, before I blindly dive in.

I apologize if you are not the correct person I should be contacting.
If you could provide some resources/other contacts from whom I can
gain some direction, or advice, I would be very thankful.

Thank you for your time. I hope you have a nice day.

Sincerely,

Daniela
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dns.log
Type: text/x-log
Size: 2293 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100124/e3fe38a0/attachment.bin 


More information about the Bro mailing list