From 317375d64911bad4fc19979b3779a55f92a9c216 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 29 Sep 2025 15:58:48 -0700
Subject: [PATCH] fixup! Add opcode/opcode_name to DNS log record

---
 scripts/base/protocols/dns/consts.zeek | 20 ++++++++++++--------
 scripts/base/protocols/dns/main.zeek   |  5 +----
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek
index 59cb77b660..32f7aa8934 100644
--- a/scripts/base/protocols/dns/consts.zeek
+++ b/scripts/base/protocols/dns/consts.zeek
@@ -195,10 +195,7 @@ export {
 		[6] = "ipv6hint",
 	} &default = function(n: count): string { return fmt("key-%d", n); };
 
-	## Mapping of DNS operation type codes to human readable string
-	## representation. The NetBIOS opcodes overlap the standard opcodes,
-	## hence putting the string versions at invalid values to make lookups
-	## possible.
+	## Mapping of DNS operation type codes to human readable string representation.
 	const opcodes = {
 		[0] = "query",
 		[1] = "iquery",
@@ -206,9 +203,16 @@ export {
 		[4] = "notify",
 		[5] = "dynamic-update",
 		[6] = "dso",
-		[0xFFFF5] = "netbios-registration",
-		[0xFFFF6] = "netbios-release",
-		[0xFFFF7] = "netbios-wack",
-		[0xFFFF8] = "netbios-refresh",
 	} &default = function(n: count): string { return fmt("opcode-%d", n); };
+
+	## Mapping of DNS operation type codes to human readable string representation for
+	## NetBIOS Name Service (NBNS) queries. These codes are defined in
+	## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
+	const netbios_opcodes = {
+		[0] = "netbios-query",
+		[5] = "netbios-registration",
+		[6] = "netbios-release",
+		[7] = "netbios-wack",
+		[8] = "netbios-refresh",
+	} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
 }
diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek
index 51453cb840..f39ec925b6 100644
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@@ -350,10 +350,7 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 
 	c$dns$opcode = msg$opcode;
 	if ( msg$is_netbios )
-		if ( msg$opcode >= 5 )
-			c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF];
-		else
-			c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]);
+		c$dns$opcode_name = netbios_opcodes[msg$opcode];
 	else
 		c$dns$opcode_name = opcodes[msg$opcode];
 	}