Zeek/Bro DNS log missing type

Hi all,

I am using Zeek to run a PCAP and then parsing/processing the generated logs to make sense of the traffic.
The issue I’m having is with the DNS parser. It is not always producing what I’m expecting it to.
In particular, it doesn’t always parse the type from the DNS traffic PCAP, which is one of the markers my code looks for.

If I look using Wireshark with the same PCAP I see that the type “A” is present, as I would expect it to be.
However, the resulting Zeek dns.log is missing that field in particular.
I need Zeek to parse this type field out so I know to look into the domain visited to make sure it is legitimate.

Are there any known issues with the DNS parser, or any known solutions to this particular problem?
Here is an example generated by navigating to a webpage
1565970799.068532 CK9bYM3SGJHwpPNW12 19024 53 udp 10896 - rl.ammyy.com - - - - 0 NOERROR F F F T 0 278.000000 F

To the best of my understanding, the field which is marked empty "-“, 2 fields prior to NOERROR field should be “A”.
This works for other instances of traffic I can find in PCAPs from the internet, but not from the ones generated by me capturing local traffic while navigating to the website.

Thank you!

P.S. if I left out any important information please let me know so I can include it, I’m still new to the IDS

Is the checksum correct on your query packet?


The checksum was indeed off, adding -C to the options when running the packet has corrected this behavior.
I’m now seeing the “A” i expected in the output dns log file.
Thank you very much for your swift and pointed response.

Have a great day.

Nothing comes to mind. It's easiest to investigate further if you can
share an example pcap that reproduces the unexpected behavior.

- Jon