[Zeek] Zeek/Bro DNS log missing type

Michael Gez mgezz66 at gmail.com
Fri Aug 16 09:31:28 PDT 2019


Vlad,

The checksum was indeed off, adding -C to the options when running the
packet has corrected this behavior.
I'm now seeing the "A" i expected in the output dns log file.
Thank you very much for your swift and pointed response.

Have a great day.

On Fri, Aug 16, 2019 at 12:23 PM Vlad Grigorescu <vlad at es.net> wrote:

> Is the checksum correct on your query packet?
>
> On Fri, Aug 16, 2019 at 4:18 PM Michael Gez <mgezz66 at gmail.com> wrote:
>
>> Hi all,
>>
>> I am using Zeek to run a PCAP and then parsing/processing the
>> generated logs to make sense of the traffic.
>> The issue I’m having is with the DNS parser. It is not always producing
>> what I’m expecting it to.
>> In particular, it doesn’t always parse the type from the DNS traffic
>> PCAP, which is one of the markers my code looks for.
>>
>> If I look using Wireshark with the same PCAP I see that the type “A” is
>> present, as I would expect it to be.
>> However, the resulting Zeek dns.log is missing that field in particular.
>> I need Zeek to parse this type field out so I know to look into the
>> domain visited to make sure it is legitimate.
>>
>> Are there any known issues with the DNS parser, or any known solutions to
>> this particular problem?
>> Here is an example generated by navigating to a webpage
>>
>> 1565970799.068532    CK9bYM3SGJHwpPNW12    192.168.100.3    19024    192.168.100.1    53    udp    10896    -
>> rl.ammyy.com    -    -    -    -    0    NOERROR    F    F    F    T    0    188.42.129.148    278.000000    F
>>
>>
>> To the best of my understanding, the field which is marked empty  "-“,  2
>> fields prior to NOERROR field should be “A”.
>> This works for other instances of traffic I can find in PCAPs from the
>> internet, but not from the ones generated by me capturing local traffic
>> while navigating to the website.
>>
>> Thank you!
>>
>> P.S. if I left out any important information please let me know so I can
>> include it, I’m still new to the IDS
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190816/dab296cc/attachment.html 


More information about the Zeek mailing list