Hi,

I want to capture DNS queries of a pcap but there is an issue with DNS events. The DNS state in the connection record remains uninitialized for my DNS queries.

Here’s how I’m looking at the DNS state information:

event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count)
{
print c;
}

pcap: http://www.sysnet.org.pk/needo/mix1.pcap
bro-output: http://www.sysnet.org.pk/needo/bro.log

I don't use the dns_message event in the base scripts for DNS so what is and what is not set when that event fires is currently undefined. Also, I'm a little unsure about what you suspect is unset in the output from your short script?

If you want to look at the data that ends up being inserted into the logs, you can look at it this way...

event DNS::log_dns(rec: DNS::Info)
  {
  print rec;
  }

  .Seth

Thanks for the quick reply. I was trying to read the c$dns record in the dns_message event which was uninitialized. Since you’ve pointed out that the dns_message event’s behavior is currently undefined I’ll now be using dns_query_reply and dns_rejected events to look at the DNS queries.