I am trying to use Bro to count DNS rcodes, but it is returning numbers that are not correct. I am using the dns_message() event to collect the DNS messages, and I am using a pcap of 5000 packets that are all on port 53. After inspecting the packets in wireshark, I found that there were ~600 query results where rcode == 3. However, after running my script, not only did Bro only find 1 rcode == 3, but it only counted 2497 DNS messages. Is there something that I am missing?
Attached is the script that I am using to collect the rcodes. If you see some glaring logical error, please let me know.
Thanks,
Connar Rosebraugh
Intern, Security Operations
NICUSA, Inc.
test.bro.txt (6.79 KB)