PAS-13: Extract DNS Traffic



Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.1,
Components: DNS ,
Labels: DNS,

Created: 2015-11-26 00:40:00
Time Spent Working
Estimated:
 
40 minutes
Remaining:
 
40 minutes
Logged:
 
0 minutes


Description
Although it'll likely be pretty noisy, extracting DNS traffic is obviously something we want to do (as it's an easy way to inadvertently leak information)

I think a single report will probably be sufficient, similar to webtraffic.csv, containing

- Epoch
- Src IP (v4)
- Dest IP (v4)
- Src IP (v6)
- Dest IP (v6)
- Src Port
- Dest Port
- Proto (TCP/UDP)
- Query/Response (dns.flags.response)
- Opcode (dns.flags.opcode)
- Authoritative (dns.flags.authoritative)
- Truncated (dns.flags.truncated)
- Recursion Desired (dns.flags.recdesired)
- Recursion available (dns.flags.recavail)
- Z (dns.flags.z)
- Answer Authenticated (dns.flags.authenticated)
- Non-authd data (dns.flags.checkdisable)
- Reply Code (dns.flags.rcode)
- Questions (dns.count.queries)
- Name (dns.qry.name)
- Type (dns.qry.type)
- Class (dns.qry.class)
- Response Name (dns.resp.name)
- Response Type (dns.resp.type)
- Response Class (dns.resp.class)
- Response TTL (dns.resp.ttl)
- Response address (dns.resp.addr)

Which might well be overkill, but allows filtering of various queries, including going direct to authoritative nameservers.


Issue Links

Toggle State Changes

Activity