DescriptionAlthough it'll likely be pretty noisy, extracting DNS traffic is obviously something we want to do (as it's an easy way to inadvertently leak information)
I think a single report will probably be sufficient, similar to webtraffic.csv, containing
- Epoch
- Src IP (v4)
- Dest IP (v4)
- Src IP (v6)
- Dest IP (v6)
- Src Port
- Dest Port
- Proto (TCP/UDP)
- Query/Response (dns.flags.response)
- Opcode (dns.flags.opcode)
- Authoritative (dns.flags.authoritative)
- Truncated (dns.flags.truncated)
- Recursion Desired (dns.flags.recdesired)
- Recursion available (dns.flags.recavail)
- Z (dns.flags.z)
- Answer Authenticated (dns.flags.authenticated)
- Non-authd data (dns.flags.checkdisable)
- Reply Code (dns.flags.rcode)
- Questions (dns.count.queries)
- Name (dns.qry.name)
- Type (dns.qry.type)
- Class (dns.qry.class)
- Response Name (dns.resp.name)
- Response Type (dns.resp.type)
- Response Class (dns.resp.class)
- Response TTL (dns.resp.ttl)
- Response address (dns.resp.addr)
Which might well be overkill, but allows filtering of various queries, including going direct to authoritative nameservers.
Activity