Weird etdl+1

willemdh · September 21, 2019, 12:48pm

Found a weird etdl+1 value in Packetbeat dns data:

Seems not normal to create this field for an ip?

"question": {
  "name": "127.0.0.1:5432",
  "type": "A",
  "class": "IN",
  "etld_plus_one": "0.1:5432"
},

Michael_Madden · September 23, 2019, 4:59pm

Hello, thanks for posting the packetbeat question. It looks like dns.question.name is incorrect which causes dns.question.etld_plus_one to be incorrect. Which version of packetbeat are you running? Do you see this same behavior on all your packetbeat deployments? Are you able to resolve host names to IP fine in this environment?

willemdh · September 23, 2019, 5:07pm

Hello Michael,

Packetbeat version: 7.3.2, I'm not seeing this on other packetbeat dns data.. This is on my home lab, dns is my ips's dns servers.. Working on some other issues atm. Just thought I'd let you know. Maybe it only happens on 127.0.0.1? Anyway the etdl_plus_one is definitely incorrect and should not contain half an ip address and a port.

Tx

system · October 21, 2019, 5:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.