Weird etdl+1

Found a weird etdl+1 value in Packetbeat dns data:

image

Seems not normal to create this field for an ip?

"question": {
  "name": "127.0.0.1:5432",
  "type": "A",
  "class": "IN",
  "etld_plus_one": "0.1:5432"
},

Hello, thanks for posting the packetbeat question. It looks like dns.question.name is incorrect which causes dns.question.etld_plus_one to be incorrect. Which version of packetbeat are you running? Do you see this same behavior on all your packetbeat deployments? Are you able to resolve host names to IP fine in this environment?

Hello Michael,

Packetbeat version: 7.3.2, I'm not seeing this on other packetbeat dns data.. This is on my home lab, dns is my ips's dns servers.. Working on some other issues atm. Just thought I'd let you know. Maybe it only happens on 127.0.0.1? Anyway the etdl_plus_one is definitely incorrect and should not contain half an ip address and a port.

Tx

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.