Mismatch between ECS and Packetbeat 7.1.5 on some fields

Soik · October 13, 2021, 2:54pm

There is a mismatch in the following fields between ECS and Packetbeat 7.1.5:

dns.answers.ttl (String in packetbeat - Long in ECS Documentation)
dns.id (Integer in packetbeat - String/Keyword in ECS Documentation)

Is this a bug in packetbeat where it is not casting to the right type or is it a typo in the documentation?

DNS message from Packetbeat 7.1.5

{
  "@timestamp": "2021-10-13T14:18:17.105Z",
  "@metadata": {
    "beat": "packetbeat",
    "type": "_doc",
    "version": "7.15.0"
  },
  "query": "class IN, type A, play.google.com",
  "host": {
    "name": "Machine"
  },
  "ecs": {
    "version": "1.11.0"
  },
  "status": "OK",
  "source": {
    "ip": "192.168.4.2",
    "port": 61028,
    "bytes": 33
  },
  "related": {
    "ip": [
      "192.168.4.2",
      "192.168.4.1",
      "142.250.200.110"
    ]
  },
  "agent": {
    "ephemeral_id": "a4cdaaf2-6c72-4985-844a-517dab463566",
    "id": "539af376-bd61-4017-b586-6a37f6fa20e5",
    "name": "Machine",
    "type": "packetbeat",
    "version": "7.15.0",
    "hostname": "Machine"
  },
  "resource": "play.google.com",
  "network": {
    "transport": "udp",
    "protocol": "dns",
    "direction": "egress",
    "community_id": "1:FykPgBbQuustlQP2hoJrHU6Ie9I=",
    "bytes": 82,
    "type": "ipv4"
  },
  "method": "QUERY",
  "server": {
    "ip": "192.168.4.1",
    "port": 53,
    "bytes": 49
  },
  "event": {
    "start": "2021-10-13T14:18:17.105Z",
    "end": "2021-10-13T14:18:17.114Z",
    "category": [
      "network_traffic",
      "network"
    ],
    "type": [
      "connection",
      "protocol"
    ],
    "kind": "event",
    "dataset": "dns",
    "duration": 8943000
  },
  "type": "dns",
  "dns": {
    "op_code": "QUERY",
    "response_code": "NOERROR",
    "answers_count": 1,
    "answers": [
      {
        "name": "play.google.com",
        "type": "A",
        "class": "IN",
        "ttl": "30",
        "data": "142.250.200.110"
      }
    ],
    "type": "answer",
    "id": 62768,
    "additionals_count": 0,
    "flags": {
      "recursion_available": true,
      "authentic_data": false,
      "checking_disabled": false,
      "authoritative": false,
      "truncated_response": false,
      "recursion_desired": true
    },
    "header_flags": [
      "RD",
      "RA"
    ],
    "question": {
      "subdomain": "play",
      "name": "play.google.com",
      "type": "A",
      "class": "IN",
      "etld_plus_one": "google.com",
      "registered_domain": "google.com",
      "top_level_domain": "com"
    },
    "resolved_ip": [
      "142.250.200.110"
    ],
    "authorities_count": 0
  },
  "client": {
    "port": 61028,
    "bytes": 33,
    "ip": "192.168.4.2"
  },
  "destination": {
    "ip": "192.168.4.1",
    "port": 53,
    "bytes": 49
  }
}

Steps to reproduce:
1 - Install packetbeat 7.1.5
2 - Create packetbeat.yml from packetbeat.reference.yml activating console output and commenting elastic output
3 - Make a DNS request

system · November 10, 2021, 4:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.