[Zeek] Flow stats in dns_end event

Nabil Memon nabilmemon.ec at gmail.com
Wed Apr 22 11:54:42 PDT 2020


Awesome, thanks!
It worked.

Nabil

On Wed, Apr 22, 2020 at 10:52 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Wed, Apr 22, 2020 at 12:15 AM Nabil Memon <nabilmemon.ec at gmail.com>
> wrote:
>
> > Stats gets updated in connection record after dns_end() event raised????
>
> Yes, the "dns_end" event and associated values can get
> created/enqueued before the states are updated.  However, the updated
> stats *are* technically available by the time the event gets
> dispatched, so one trick to refresh the connection record value would
> be to use "lookup_connection()".  See if this helps:
>
> event dns_end(c: connection, msg: dns_msg)
> {
> c = lookup_connection(c$id);
> print "dns_end: -------------------------------";
> print c$orig, c$resp, c$id, c$dns;
> print "dns_end: -------------------------------";
> }
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200423/55d03311/attachment.html 


More information about the Zeek mailing list