Weird etdl+1

willemdh · September 21, 2019, 12:48pm

Found a weird etdl+1 value in Packetbeat dns data:

Seems not normal to create this field for an ip?

"question": {
  "name": "127.0.0.1:5432",
  "type": "A",
  "class": "IN",
  "etld_plus_one": "0.1:5432"
},

Michael_Madden · September 23, 2019, 4:59pm

Hello, thanks for posting the packetbeat question. It looks like dns.question.name is incorrect which causes dns.question.etld_plus_one to be incorrect. Which version of packetbeat are you running? Do you see this same behavior on all your packetbeat deployments? Are you able to resolve host names to IP fine in this environment?

willemdh · September 23, 2019, 5:07pm

Hello Michael,

Packetbeat version: 7.3.2, I'm not seeing this on other packetbeat dns data.. This is on my home lab, dns is my ips's dns servers.. Working on some other issues atm. Just thought I'd let you know. Maybe it only happens on 127.0.0.1? Anyway the etdl_plus_one is definitely incorrect and should not contain half an ip address and a port.

Tx

system · October 21, 2019, 5:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
eTLD+1 seems to be eTLD+2 in some cases Beats packetbeat	4	565	December 14, 2020
Testing DNS Performance Beats packetbeat	1	384	July 6, 2022
Mismatch between ECS and Packetbeat 7.1.5 on some fields Beats packetbeat	1	339	November 10, 2021
Packet beat Reverse DNS lookup not working properly Beats	2	527	June 26, 2019
Packetbeat Conundrum Beats packetbeat	25	1051	July 4, 2019

Weird etdl+1

Related Topics