[Zeek] Zeek/Bro DNS log missing type
Vlad Grigorescu
vlad at es.net
Fri Aug 16 09:23:16 PDT 2019
Is the checksum correct on your query packet?
On Fri, Aug 16, 2019 at 4:18 PM Michael Gez <mgezz66 at gmail.com> wrote:
> Hi all,
>
> I am using Zeek to run a PCAP and then parsing/processing the
> generated logs to make sense of the traffic.
> The issue I’m having is with the DNS parser. It is not always producing
> what I’m expecting it to.
> In particular, it doesn’t always parse the type from the DNS traffic PCAP,
> which is one of the markers my code looks for.
>
> If I look using Wireshark with the same PCAP I see that the type “A” is
> present, as I would expect it to be.
> However, the resulting Zeek dns.log is missing that field in particular.
> I need Zeek to parse this type field out so I know to look into the domain
> visited to make sure it is legitimate.
>
> Are there any known issues with the DNS parser, or any known solutions to
> this particular problem?
> Here is an example generated by navigating to a webpage
>
> 1565970799.068532 CK9bYM3SGJHwpPNW12 192.168.100.3 19024 192.168.100.1 53 udp 10896 -
> rl.ammyy.com - - - - 0 NOERROR F F F T 0 188.42.129.148 278.000000 F
>
>
> To the best of my understanding, the field which is marked empty "-“, 2
> fields prior to NOERROR field should be “A”.
> This works for other instances of traffic I can find in PCAPs from the
> internet, but not from the ones generated by me capturing local traffic
> while navigating to the website.
>
> Thank you!
>
> P.S. if I left out any important information please let me know so I can
> include it, I’m still new to the IDS
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190816/a189cb4f/attachment.html
More information about the Zeek
mailing list