[Zeek] duplicated intel logs DNS::IN_REQUEST
Justin Azoff
justin at corelight.com
Fri Oct 4 10:19:08 PDT 2019
On Fri, Oct 4, 2019 at 4:08 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
wrote:
> Hi Justin,
>
> I am in fact seeing 2,2 or 2,0 as orig_pkts and resp_pkts. And I
> confirmed this with tcpdump. So I believe it is an issue with the network
> we are tapping as I see these duplicated packets only for dns.
>
Possibly, but you may have duplicates everywhere. The tcp reassembler can
use the sequence numbers to avoid analyzing the same traffic twice, but UDP
doesn't have anything like that. DNS is just the place you tend to notice
the duplicate traffic the most.
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191004/2fa86e11/attachment.html
More information about the Zeek
mailing list