Found a weird etdl+1 value in Packetbeat dns data:
Seems not normal to create this field for an ip?
"question": {
"name": "127.0.0.1:5432",
"type": "A",
"class": "IN",
"etld_plus_one": "0.1:5432"
},
Found a weird etdl+1 value in Packetbeat dns data:
Seems not normal to create this field for an ip?
"question": {
"name": "127.0.0.1:5432",
"type": "A",
"class": "IN",
"etld_plus_one": "0.1:5432"
},
Hello, thanks for posting the packetbeat question. It looks like dns.question.name
is incorrect which causes dns.question.etld_plus_one
to be incorrect. Which version of packetbeat are you running? Do you see this same behavior on all your packetbeat deployments? Are you able to resolve host names to IP fine in this environment?
Hello Michael,
Packetbeat version: 7.3.2, I'm not seeing this on other packetbeat dns data.. This is on my home lab, dns is my ips's dns servers.. Working on some other issues atm. Just thought I'd let you know. Maybe it only happens on 127.0.0.1? Anyway the etdl_plus_one is definitely incorrect and should not contain half an ip address and a port.
Tx
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.