[Zeek] Zeek/Bro DNS log missing type
Jon Siwek
jsiwek at corelight.com
Fri Aug 16 09:31:57 PDT 2019
On Fri, Aug 16, 2019 at 9:18 AM Michael Gez <mgezz66 at gmail.com> wrote:
> If I look using Wireshark with the same PCAP I see that the type “A” is present, as I would expect it to be.
> However, the resulting Zeek dns.log is missing that field in particular.
> I need Zeek to parse this type field out so I know to look into the domain visited to make sure it is legitimate.
>
> Are there any known issues with the DNS parser, or any known solutions to this particular problem?
Nothing comes to mind. It's easiest to investigate further if you can
share an example pcap that reproduces the unexpected behavior.
- Jon
More information about the Zeek
mailing list