Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

test suite baseline updates for "-a xform" alternative / AST transformation

Browse source
This commit is contained in:
Vern Paxson 2021-06-01 14:14:19 -07:00
parent d8213246ea
commit 9ab43ebe28
38 changed files with 703 additions and 522 deletions
Download patch file Download diff file Expand all files Collapse all files

39
testing/btest/Baseline.xform/broker.remote_event_index_types/recv.recv.out Normal file
View file

@ -0,0 +1,39 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
set1, {
1
}
set2, {
[2, two]
}
setvector, {
[one, two]
}
setrecord, {
[a=97, b=B]
}
setfunction, {
foo
print foo;
}
setpattern, {
/^?(foobar)$?/
}
table1, {
[1] = t1
}
table2, {
[2, two] = t2
}
tablevector, {
[[one, two]] = tvec
}
tablerecord, {
[[a=97, b=B]] = trec
}
tablefunction, {
[foo
print foo;] = tfunc
}
tablepattern, {
[/^?(foobar)$?/] = tpat
}

4
testing/btest/Baseline.xform/broker.store.create-failure/zeek.err
View file

@ -1,6 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/create-failure.zeek, line 63: Failed to attach master store backend_failure: (Broker::create_master(../fail, Broker::SQLITE, <internal>::#1)) error in <...>/create-failure.zeek, line 63: Failed to attach master store backend_failure: (Broker::create_master(../fail, Broker::SQLITE, <internal>::#0))
error in <...>/create-failure.zeek, line 63: Could not create Broker master store '../fail' (Broker::create_master(../fail, Broker::SQLITE, <internal>::#1)) error in <...>/create-failure.zeek, line 63: Could not create Broker master store '../fail' (Broker::create_master(../fail, Broker::SQLITE, <internal>::#0))
error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{}) error in <...>/create-failure.zeek, line 49: invalid Broker store handle (Broker::keys(s) and broker::store::{})
error in <...>/create-failure.zeek, line 27: invalid Broker store handle (Broker::close(m1) and broker::store::{}) error in <...>/create-failure.zeek, line 27: invalid Broker store handle (Broker::close(m1) and broker::store::{})
error in <...>/create-failure.zeek, line 33: invalid Broker store handle (Broker::close(c2) and broker::store::{}) error in <...>/create-failure.zeek, line 33: invalid Broker store handle (Broker::close(c2) and broker::store::{})

21
testing/btest/Baseline.xform/broker.store.create-failure/zeek.out Normal file
View file

@ -0,0 +1,21 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
T
F
F
F
m1 keys result: [status=Broker::FAILURE, result=[data=<uninitialized>]]
m2 keys result: [status=Broker::SUCCESS, result=[data=broker::data{{}}]]
c2 keys result: [status=Broker::SUCCESS, result=[data=broker::data{{}}]]
T
F
F
F
T
T
T
T
m1 keys result: [status=Broker::FAILURE, result=[data=<uninitialized>]]
c1 keys result: [status=Broker::FAILURE, result=[data=<uninitialized>]]
m2 keys result: [status=Broker::FAILURE, result=[data=<uninitialized>]]
c2 keys result: [status=Broker::FAILURE, result=[data=<uninitialized>]]
c1 timeout

2
testing/btest/Baseline.xform/core.option-runtime-errors-10/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: ID 'A' is not an option (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-11/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-12/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-13/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-2/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, ))

2
testing/btest/Baseline.xform/core.option-runtime-errors-3/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 3: ID 'A' is not an option (Option::set(A, 6, ))

2
testing/btest/Baseline.xform/core.option-runtime-errors-4/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-5/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-6/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-7/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-8/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors-9/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 5: Could not find ID named 'A' (Option::set_change_handler(A, <internal>::#0, 0))

2
testing/btest/Baseline.xform/core.option-runtime-errors/.stderr Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in <...>/option-runtime-errors.zeek, line 9: Could not find ID named 'B' (Option::set(B, 6, ))

2
testing/btest/Baseline.xform/language.common-mistakes/1.err Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in ./1.zeek, line 9: field value missing (mr$f)

1
testing/btest/Baseline.xform/language.common-mistakes/1.out
View file

@ -1,5 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in ./1.zeek, line 9: field value missing (mr$f)
bar start bar start
foo start foo start
other zeek_init other zeek_init

2
testing/btest/Baseline.xform/language.common-mistakes/2.err Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in ./2.zeek, line 7: no such index (t[nope])

1
testing/btest/Baseline.xform/language.common-mistakes/2.out
View file

@ -1,3 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in ./2.zeek, line 7: no such index (t[nope])
in foo in foo

2
testing/btest/Baseline.xform/language.common-mistakes2/3.err Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
expression error in ./3.zeek, line 5: type-checking failed in vector append (v vec+= ok)

6
testing/btest/Baseline.xform/language.index-assignment-invalid/out
View file

@ -1,6 +1,6 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
runtime error in <...>/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=<uninitialized>], expression: Queue::ret[Queue::j] []= <internal>::#3, call stack: runtime error in <...>/queue.zeek, line 152: vector index assignment failed for invalid type 'myrec', value: [a=T, b=hi, c=<uninitialized>], expression: Queue::ret[Queue::j] []= <internal>::#3, call stack:
#0 Queue::get_vector([initialized=T, vals={[2] = test,[3] = [a=T, b=hi, c=<uninitialized>],[5] = 3,[0] = hello,[6] = jkl;,[4] = asdf,[1] = goodbye}, settings=[max_len=<uninitialized>], top=7, bottom=0, size=0], [hello, goodbye, test]) at <...>/index-assignment-invalid.zeek:19 #0 Queue::get_vector([initialized=T, vals={[2] = test,[3] = [a=T, b=hi, c=<uninitialized>],[5] = 3,[0] = hello,[6] = jkl;,[4] = asdf,[1] = goodbye}, settings=[max_len=<uninitialized>], top=7, bottom=0, size=0], [hello, goodbye, test]) at <...>/index-assignment-invalid.zeek:21
#1 bar(55) at <...>/index-assignment-invalid.zeek:27 #1 bar(55) at <...>/index-assignment-invalid.zeek:29
#2 foo(hi, 13) at <...>/index-assignment-invalid.zeek:39 #2 foo(hi, 13) at <...>/index-assignment-invalid.zeek:41
#3 zeek_init() #3 zeek_init()

5
testing/btest/Baseline.xform/language.table-set-iterator-invalidation/err Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
warning in <...>/table-set-iterator-invalidation.zeek, line 22: possible loop/iterator invalidation caused by expression: t[4] []= four
warning in <...>/table-set-iterator-invalidation.zeek, line 31: possible loop/iterator invalidation caused by expression: t[4]
warning in <...>/table-set-iterator-invalidation.zeek, line 54: possible loop/iterator invalidation caused by expression: s[4]
warning in <...>/table-set-iterator-invalidation.zeek, line 63: possible loop/iterator invalidation caused by expression: s[4]

38
testing/btest/Baseline.xform/language.table-set-iterator-invalidation/out Normal file
View file

@ -0,0 +1,38 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
{
[2] = 2,
[1] = 1,
[3] = 3
}
{
[2] = 2,
[4] = four,
[3] = 3,
[1] = 1
}
{
[2] = 2,
[1] = 1,
[3] = 3
}
{
[2] = 2,
[1] = 1,
[3] = 3
}
{
2,
4,
3,
1
}
{
2,
1,
3
}
{
2,
1,
3
}

2
testing/btest/Baseline.xform/language.type-coerce-numerics/double_convert_failure1.err Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in count and ./double_convert_failure1.zeek, line 7: over-promotion of arithmetic value (count and 5.0)

1
testing/btest/Baseline.xform/language.type-coerce-numerics/double_convert_failure1.out
View file

@ -1,2 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in ./double_convert_failure1.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=5.0] to myrecord) and double)

2
testing/btest/Baseline.xform/language.type-coerce-numerics/double_convert_failure2.err Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in count and ./double_convert_failure2.zeek, line 7: over-promotion of arithmetic value (count and -5.0)

1
testing/btest/Baseline.xform/language.type-coerce-numerics/double_convert_failure2.out
View file

@ -1,2 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in ./double_convert_failure2.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=-5.0] to myrecord) and double)

3
testing/btest/Baseline.xform/language.type-coerce-numerics/first_set.err Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in int and ./first_set.zeek, line 46: overflow promoting from unsigned/double to signed arithmetic value (int and 9223372036854775808)
expression error in ./first_set.zeek, line 46: value used but not set (<internal>::#0)

2
testing/btest/Baseline.xform/language.type-coerce-numerics/first_set.out
View file

@ -1,6 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in int and ./first_set.zeek, line 46: overflow promoting from unsigned/double to signed arithmetic value (int and 9223372036854775808)
expression error in ./first_set.zeek, line 46: Failed type conversion ((coerce <internal>::#0 to record { ii:int; cc:count; dd:double; }))
3 3
int int
4 4

2
testing/btest/Baseline.xform/language.type-coerce-numerics/int_convert_failure.err Normal file
View file

@ -0,0 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in count and ./int_convert_failure.zeek, line 7: over-promotion of arithmetic value (count and -5)

1
testing/btest/Baseline.xform/language.type-coerce-numerics/int_convert_failure.out
View file

@ -1,2 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error in ./int_convert_failure.zeek, line 7 and int: type clash for field "cc" ((coerce [$cc=-5] to myrecord) and int)

1
testing/btest/Baseline.xform/language.type-coerce-numerics/vectors.err Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

1014
testing/btest/Baseline.xform/plugins.hooks/output
View file

File diff suppressed because one or more lines are too long

2
testing/btest/Baseline.xform/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
View file

@ -1,6 +1,4 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error: file ID asdf not a known file
expression error in <...>/main.zeek, line 378: value used but not set (<internal>::#0)
This should fail but not crash This should fail but not crash
lookup fid: FMnxxt3xjVcWNS2141 lookup fid: FMnxxt3xjVcWNS2141
We should have found the file id: FMnxxt3xjVcWNS2141 We should have found the file id: FMnxxt3xjVcWNS2141

3
testing/btest/Baseline.xform/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/err Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
error: file ID asdf not a known file
expression error in <...>/main.zeek, line 378: value used but not set (<internal>::#0)

16
testing/btest/Baseline.xform/scripts.policy.misc.dump-events/all-events.log
View file

@ -15,7 +15,7 @@ XXXXXXXXXX.XXXXXX dns_message
[3] len: count = 34 [3] len: count = 34
XXXXXXXXXX.XXXXXX dns_request XXXXXXXXXX.XXXXXX dns_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
[2] query: string = mail.patriots.in [2] query: string = mail.patriots.in
[3] qtype: count = 1 [3] qtype: count = 1
@ -23,34 +23,34 @@ XXXXXXXXXX.XXXXXX dns_request
[5] original_query: string = mail.patriots.in [5] original_query: string = mail.patriots.in
XXXXXXXXXX.XXXXXX protocol_confirmation XXXXXXXXXX.XXXXXX protocol_confirmation
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] atype: enum = Analyzer::ANALYZER_DNS [1] atype: enum = Analyzer::ANALYZER_DNS
[2] aid: count = 3 [2] aid: count = 3
XXXXXXXXXX.XXXXXX dns_end XXXXXXXXXX.XXXXXX dns_end
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
XXXXXXXXXX.XXXXXX dns_message XXXXXXXXXX.XXXXXX dns_message
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F [1] is_orig: bool = F
[2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[3] len: count = 100 [3] len: count = 100
XXXXXXXXXX.XXXXXX dns_CNAME_reply XXXXXXXXXX.XXXXXX dns_CNAME_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs] [2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
[3] name: string = patriots.in [3] name: string = patriots.in
XXXXXXXXXX.XXXXXX dns_A_reply XXXXXXXXXX.XXXXXX dns_A_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs] [2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
[3] a: addr = 74.53.140.153 [3] a: addr = 74.53.140.153
XXXXXXXXXX.XXXXXX dns_end XXXXXXXXXX.XXXXXX dns_end
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
XXXXXXXXXX.XXXXXX new_connection XXXXXXXXXX.XXXXXX new_connection
@ -498,7 +498,7 @@ XXXXXXXXXX.XXXXXX new_connection
XXXXXXXXXX.XXXXXX ChecksumOffloading::check XXXXXXXXXX.XXXXXX ChecksumOffloading::check
XXXXXXXXXX.XXXXXX connection_state_remove XXXXXXXXXX.XXXXXX connection_state_remove
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
XXXXXXXXXX.XXXXXX Broker::log_flush XXXXXXXXXX.XXXXXX Broker::log_flush
XXXXXXXXXX.XXXXXX connection_state_remove XXXXXXXXXX.XXXXXX connection_state_remove

28
testing/btest/Baseline.xform/scripts.policy.misc.dump-events/really-all-events.log
View file

@ -29,7 +29,7 @@ XXXXXXXXXX.XXXXXX dns_message
[3] len: count = 34 [3] len: count = 34
XXXXXXXXXX.XXXXXX dns_request XXXXXXXXXX.XXXXXX dns_request
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
[2] query: string = mail.patriots.in [2] query: string = mail.patriots.in
[3] qtype: count = 1 [3] qtype: count = 1
@ -37,12 +37,12 @@ XXXXXXXXXX.XXXXXX dns_request
[5] original_query: string = mail.patriots.in [5] original_query: string = mail.patriots.in
XXXXXXXXXX.XXXXXX protocol_confirmation XXXXXXXXXX.XXXXXX protocol_confirmation
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] atype: enum = Analyzer::ANALYZER_DNS [1] atype: enum = Analyzer::ANALYZER_DNS
[2] aid: count = 3 [2] aid: count = 3
XXXXXXXXXX.XXXXXX dns_end XXXXXXXXXX.XXXXXX dns_end
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
XXXXXXXXXX.XXXXXX raw_packet XXXXXXXXXX.XXXXXX raw_packet
@ -54,24 +54,24 @@ XXXXXXXXXX.XXXXXX load_sample
XXXXXXXXXX.XXXXXX event_queue_flush_point XXXXXXXXXX.XXXXXX event_queue_flush_point
XXXXXXXXXX.XXXXXX new_packet XXXXXXXXXX.XXXXXX new_packet
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] p: pkt_hdr = [ip=[hl=20, tos=0, len=128, id=0, ttl=64, p=17, src=10.10.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53/udp, dport=56166/udp, ulen=108], icmp=<uninitialized>] [1] p: pkt_hdr = [ip=[hl=20, tos=0, len=128, id=0, ttl=64, p=17, src=10.10.1.1, dst=10.10.1.4], ip6=<uninitialized>, tcp=<uninitialized>, udp=[sport=53/udp, dport=56166/udp, ulen=108], icmp=<uninitialized>]
XXXXXXXXXX.XXXXXX packet_contents XXXXXXXXXX.XXXXXX packet_contents
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] contents: string = yV\x81\x80\x00\x01\x00\x02\x00\x02\x00\x00\x04mail\x08patriots\x02in\x00\x00\x01\x00\x01\xc0\x0c\x00\x05\x00\x01\x00\x00*K\x00\x02\xc0\x11\xc0\x11\x00\x01\x00\x01\x00\x00*L\x00\x04J5\x8c\x99\xc0\x11\x00\x02\x00\x01\x00\x01C\x8c\x00\x06\x03ns2\xc0\x11\xc0\x11\x00\x02\x00\x01\x00\x01C\x8c\x00\x06\x03ns1\xc0\x11 [1] contents: string = yV\x81\x80\x00\x01\x00\x02\x00\x02\x00\x00\x04mail\x08patriots\x02in\x00\x00\x01\x00\x01\xc0\x0c\x00\x05\x00\x01\x00\x00*K\x00\x02\xc0\x11\xc0\x11\x00\x01\x00\x01\x00\x00*L\x00\x04J5\x8c\x99\xc0\x11\x00\x02\x00\x01\x00\x01C\x8c\x00\x06\x03ns2\xc0\x11\xc0\x11\x00\x02\x00\x01\x00\x01C\x8c\x00\x06\x03ns1\xc0\x11
XXXXXXXXXX.XXXXXX udp_reply XXXXXXXXXX.XXXXXX udp_reply
[0] u: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] u: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
XXXXXXXXXX.XXXXXX dns_message XXXXXXXXXX.XXXXXX dns_message
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] is_orig: bool = F [1] is_orig: bool = F
[2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [2] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[3] len: count = 100 [3] len: count = 100
XXXXXXXXXX.XXXXXX dns_query_reply XXXXXXXXXX.XXXXXX dns_query_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[2] query: string = mail.patriots.in [2] query: string = mail.patriots.in
[3] qtype: count = 1 [3] qtype: count = 1
@ -79,19 +79,19 @@ XXXXXXXXXX.XXXXXX dns_query_reply
[5] original_query: string = mail.patriots.in [5] original_query: string = mail.patriots.in
XXXXXXXXXX.XXXXXX dns_CNAME_reply XXXXXXXXXX.XXXXXX dns_CNAME_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs] [2] ans: dns_answer = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
[3] name: string = patriots.in [3] name: string = patriots.in
XXXXXXXXXX.XXXXXX dns_A_reply XXXXXXXXXX.XXXXXX dns_A_reply
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
[2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs] [2] ans: dns_answer = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
[3] a: addr = 74.53.140.153 [3] a: addr = 74.53.140.153
XXXXXXXXXX.XXXXXX dns_end XXXXXXXXXX.XXXXXX dns_end
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.953842 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
[1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0] [1] msg: dns_msg = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
XXXXXXXXXX.XXXXXX raw_packet XXXXXXXXXX.XXXXXX raw_packet
@ -6260,13 +6260,13 @@ XXXXXXXXXX.XXXXXX raw_packet
XXXXXXXXXX.XXXXXX event_queue_flush_point XXXXXXXXXX.XXXXXX event_queue_flush_point
XXXXXXXXXX.XXXXXX event_queue_flush_point XXXXXXXXXX.XXXXXX event_queue_flush_point
XXXXXXXXXX.XXXXXX connection_timeout XXXXXXXXXX.XXXXXX connection_timeout
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
XXXXXXXXXX.XXXXXX udp_session_done XXXXXXXXXX.XXXXXX udp_session_done
[0] u: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] u: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
XXXXXXXXXX.XXXXXX connection_state_remove XXXXXXXXXX.XXXXXX connection_state_remove
[0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#2 = DNS::c$dns_state;\x0a\x09if (<internal>::#2?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#1);\x0a\x09\x09}\x0a\x0a\x09<internal>::#5 = DNS::c$dns_state;\x0a\x09if (<internal>::#5?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09\x09<internal>::#4 = <internal>::#3$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#4);\x0a\x09\x09}\x0a\x0a\x09<internal>::#8 = DNS::c$dns_state;\x0a\x09if (<internal>::#8?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09\x09<internal>::#7 = <internal>::#6$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#7);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>] [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=34.0 msecs 24.953842 usecs, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (DNS::c?$dns_state) \x0a\x09\x09;\x0a\x09else\x0a\x09\x09return ;\x0a\x0a\x09<internal>::#3 = DNS::c$dns_state;\x0a\x09if (<internal>::#3?$pending_query) \x0a\x09\x09{ \x0a\x09\x09<internal>::#0 = DNS::c$dns_state;\x0a\x09\x09<internal>::#1 = <internal>::#0$pending_query;\x0a\x09\x09<internal>::#2 = to_any_coerce<internal>::#1;\x0a\x09\x09Log::write(DNS::LOG, <internal>::#2);\x0a\x09\x09}\x0a\x0a\x09<internal>::#6 = DNS::c$dns_state;\x0a\x09if (<internal>::#6?$pending_queries) \x0a\x09\x09{ \x0a\x09\x09<internal>::#4 = DNS::c$dns_state;\x0a\x09\x09<internal>::#5 = <internal>::#4$pending_queries;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#5);\x0a\x09\x09}\x0a\x0a\x09<internal>::#9 = DNS::c$dns_state;\x0a\x09if (<internal>::#9?$pending_replies) \x0a\x09\x09{ \x0a\x09\x09<internal>::#7 = DNS::c$dns_state;\x0a\x09\x09<internal>::#8 = <internal>::#7$pending_replies;\x0a\x09\x09DNS::log_unmatched_msgs(<internal>::#8);\x0a\x09\x09}\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_query=<uninitialized>, pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
XXXXXXXXXX.XXXXXX ChecksumOffloading::check XXXXXXXXXX.XXXXXX ChecksumOffloading::check
XXXXXXXXXX.XXXXXX Broker::log_flush XXXXXXXXXX.XXXXXX Broker::log_flush