Project

General

Profile

Actions

Feature #2970

closed

DNS: Parse and extract SOA app layer data from DNS packets

Added by Konstantin Klinger over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

At the moment the DNS parser gives you "SOA" as rrtype, but the related metadata of those SOA records/DNS packets are missing. In the attached pcap you can find the current output.

I would expect something like this (equivalent to the content in Wireshark output):
Answers
suricon.net: type SOA, class IN, mname ns1.siteground199.com
Name: suricon.net
Type: SOA (Start Of a zone of Authority) (6)
Class: IN (0x0001)
Time to live: 21599
Data length: 50
Primary name server: ns1.siteground199.com
Responsible authority's mailbox: root.siteground199.com
Serial Number: 2018092604
Refresh Interval: 86400 (1 day)
Retry Interval: 7200 (2 hours)
Expire limit: 3600000 (41 days, 16 hours)
Minimum TTL: 86400 (1 day)


Files

soa_record_eve.json (5.54 KB) soa_record_eve.json eve json output for processing the pcap Konstantin Klinger, 05/07/2019 11:27 AM
soa_record.pcap (719 Bytes) soa_record.pcap pcap with three SOA record queries and answers Konstantin Klinger, 05/07/2019 11:27 AM
Actions

Also available in: Atom PDF