Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log

Lincy_Taylor · January 25, 2017, 8:32am

Hello all:

I recently found lots of “dns_unmatched_msg” and “dns_unmatched_reply” errors in weird.log of Bro, which likes the following:

1485331604.840044 CSdHx91xFbEKdyo3Pi 172.16.185.11 40721 8.8.8.8 53 dns_unmatched_reply - F bro

1485331609.712570 Cw4TXS1DvS49mvRtN4 172.16.185.11 58915 8.8.8.8 53 dns_unmatched_reply - F bro

1485331619.101223 CSdHx91xFbEKdyo3Pi 172.16.185.11 40721 8.8.8.8 53 dns_unmatched_msg - F bro

1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11 50308 8.8.8.8 53 dns_unmatched_reply - F bro

1485331619.115208 Cw4TXS1DvS49mvRtN4 172.16.185.11 58915 8.8.8.8 53 dns_unmatched_msg - F bro

1485331619.115208 CGwJfm35oSWSuMdVS6 172.16.185.11 50308 8.8.8.8 53 dns_unmatched_msg - F bro

I used tcpdump to create a traffic dump of several dns queries made by dig on ubuntu to 8.8.8.8 and analyzed by “bro -r”, the errors are still there in weird.log. The errors seems to be related to an unmatch of query id of query and response messages according to snippet in “share/bro/base/protocols/dns/main.bro”. But I found the query ids are consistent with each of DNS query and response by tracing the traffic dump in wireshark.

Has anyone experienced the same issue before?

I attached the log files and pcap file within this message, please help me to find out the root cause. Thank you!

dns_8.8.8.8.pcap (796 Bytes)

dns.log (1 KB)

weird.log (939 Bytes)

James_inthe_box · January 25, 2017, 12:05pm

Make sure you set your local net to include the 172 net. As a test on the pcap I ran:

bro -C -r pcaps/dns_8.8.8.8.pcap local “Site::local_nets += { 172.16.0.0/12 }”

This gets me conn and dns, but no weird log.

James

Lincy_Taylor · January 26, 2017, 1:23am

Hello James,

I finally found the root cause with your provided parameters running bro. The error was due to the offloading of checksumming to adapter on my local system while the traffic was captured, which is already mentioned on bro’s website[1]. So many thanks for your help!

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

Lincy

James_inthe_box · January 26, 2017, 4:14pm

Glad you found the source of the issue...nice work!

James

Topic		Replies	Views
DNS Unmatched msg/reply Zeek	3	117	May 6, 2022
Lying about DNS yields interesting bro entries Zeek	12	122	May 6, 2022
unmatched_HTTP_reply in weird.log Zeek	2	107	May 6, 2022
Lot of weird log entries like DNS_RR_unknown_type Zeek	2	66	May 6, 2022
meaning of those message in weird.log Zeek	2	261	May 6, 2022

Lots of dns_unmatched_msg, dns_unmatched_reply in weird.log

Related topics