Bro and Counting DNS rcodes

I am trying to use Bro to count DNS rcodes, but it is returning numbers that are not correct. I am using the dns_message() event to collect the DNS messages, and I am using a pcap of 5000 packets that are all on port 53. After inspecting the packets in wireshark, I found that there were ~600 query results where rcode == 3. However, after running my script, not only did Bro only find 1 rcode == 3, but it only counted 2497 DNS messages. Is there something that I am missing?

Attached is the script that I am using to collect the rcodes. If you see some glaring logical error, please let me know.


Conner are you on 2.1? There was a bug that has been fixed in the current code base.

You could also simply summarize the existing dns.log with something like this:

[bro@new-host-3 dns-ad-bruteforce]$ less dns.log | bro-cut rcode rcode_name | sort | uniq -c | sort -n
32 - -
1704 0 NOERROR

The columns are Count / Return Code / Return Code Name.


Liam Randall