[Zeek] Zeek/Bro DNS log missing type

Jon Siwek jsiwek at corelight.com
Fri Aug 16 09:31:57 PDT 2019


On Fri, Aug 16, 2019 at 9:18 AM Michael Gez <mgezz66 at gmail.com> wrote:

> If I look using Wireshark with the same PCAP I see that the type “A” is present, as I would expect it to be.
> However, the resulting Zeek dns.log is missing that field in particular.
> I need Zeek to parse this type field out so I know to look into the domain visited to make sure it is legitimate.
>
> Are there any known issues with the DNS parser, or any known solutions to this particular problem?

Nothing comes to mind.  It's easiest to investigate further if you can
share an example pcap that reproduces the unexpected behavior.

- Jon



More information about the Zeek mailing list