[Zeek] Flow stats in dns_end event

Nabil Memon nabilmemon.ec at gmail.com
Wed Apr 22 00:13:27 PDT 2020


Hi,

event dns_end(c: connection, msg: dns_msg)
{
print "dns_end: -------------------------------";
print c$orig, c$resp, c$id, c$dns;
print "dns_end: -------------------------------";
}

Output:
====================================================
Request: dns_end: -------------------------------
[size=32, state=1, *num_pkts=0, num_bytes_ip=0*, flow_label=0,
l2_addr=00:e0:18:b1:0c:ad], [size=0, state=0, num_pkts=0, num_bytes_ip=0,
flow_label=0, l2_addr=00:c0:9f:32:41:8c]
Request: dns_end: -------------------------------
====================================================

====================================================
Reply: dns_end: -------------------------------
dns_end: -------------------------------
[size=32, state=1, num_pkts=1, num_bytes_ip=60, flow_label=0,
l2_addr=00:e0:18:b1:0c:ad], [size=60, state=1, *num_pkts=0, num_bytes_ip=0*,
flow_label=0, l2_addr=00:c0:9f:32:41:8c]
Reply: dns_end: -------------------------------
====================================================

When bro sees DNS request/reply, it raises dns_end() event for both the
packets at the end. In the reply packet's DNS event I see flow stats info
is 0 in c$orig and c$resp as highlighted.

Stats gets updated in connection record after dns_end() event raised????

I have a use case, where I want to gather DNS req/rep data with the flow
stats, but I see dns object from connection record is deleted in the last
dns_end() event inside dns main.bro file. I assume the reason of same 5
tuple being used for different DNS exchanges.

Regards,
Nabil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200422/a3eb1064/attachment.html 


More information about the Zeek mailing list