Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge 07804232e6 into 8b4707a284

Browse source
This commit is contained in:
Tim Wojtulewicz 2025-09-30 14:05:39 -07:00 committed by GitHub
commit a0a7f59530
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
38 changed files with 332 additions and 189 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/init-bare.zeek
View file

@ -2861,7 +2861,7 @@ global pkt_profile_file: file &redef;
## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
## dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
## dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
## dns_message dns_query_reply dns_rejected dns_request
## dns_message dns_query_reply dns_rejected dns_request dns_dynamic_update
type dns_msg: record {
id: count; ##< Transaction ID.
@ -2877,10 +2877,12 @@ type dns_msg: record {
AD: bool; ##< authentic data
CD: bool; ##< checking disabled
num_queries: count; ##< Number of query records.
num_answers: count; ##< Number of answer records.
num_auth: count; ##< Number of authoritative records.
num_queries: count; ##< Number of query records. For dynamic update messages, this is the number of zones.
num_answers: count; ##< Number of answer records. For dynamic update messages, this is the number of prerequisites.
num_auth: count; ##< Number of authoritative records. For dynamic update messages, this is the number of updates.
num_addl: count; ##< Number of additional records.
is_netbios: bool; ##< Whether this message came from NetBIOS.
};
## A DNS SOA record.

21
scripts/base/protocols/dns/consts.zeek
View file

@ -194,4 +194,25 @@ export {
[5] = "ech",
[6] = "ipv6hint",
} &default = function(n: count): string { return fmt("key-%d", n); };
## Mapping of DNS operation type codes to human readable string representation.
const opcodes = {
[0] = "query",
[1] = "iquery",
[2] = "server-status",
[4] = "notify",
[5] = "dynamic-update",
[6] = "dso",
} &default = function(n: count): string { return fmt("opcode-%d", n); };
## Mapping of DNS operation type codes to human readable string representation for
## NetBIOS Name Service (NBNS) queries. These codes are defined in
## https://datatracker.ietf.org/doc/html/rfc1002#section-4.2.1.1
const netbios_opcodes = {
[0] = "netbios-query",
[5] = "netbios-registration",
[6] = "netbios-release",
[7] = "netbios-wack",
[8] = "netbios-refresh",
} &default = function(n: count): string { return fmt("netbios-opcode-%d", n); };
}

12
scripts/base/protocols/dns/main.zeek
View file

@ -71,6 +71,10 @@ export {
TTLs: vector of interval &log &optional;
## The DNS query was rejected by the server.
rejected: bool &log &default=F;
## The opcode value of the DNS request/response.
opcode: count &log &optional;
## A descriptive string for the opcode.
opcode_name: string &log &optional;
## The total number of resource records in a reply message's
## answer section.
@ -343,11 +347,17 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
if ( msg$rcode != 0 && msg$num_queries == 0 )
c$dns$rejected = T;
}
c$dns$opcode = msg$opcode;
if ( msg$is_netbios )
c$dns$opcode_name = netbios_opcodes[msg$opcode];
else
c$dns$opcode_name = opcodes[msg$opcode];
}
event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
{
if ( msg$opcode != 0 )
if ( msg$opcode != 0 && msg$opcode != 5 )
# Currently only standard queries are tracked.
return;

117
src/analyzer/protocol/dns/DNS.cc
View file

@ -74,13 +74,13 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
auto opcode = static_cast<uint16_t>((flags & 0x7800) >> 11);
// NetBIOS registration and release messages look like regular DNS requests, so parse them as such
if ( opcode != DNS_OP_QUERY && ! is_netbios ) {
if ( opcode != DNS_OP_QUERY && opcode != DNS_OP_DYNAMIC_UPDATE && ! is_netbios ) {
analyzer->Weird("DNS_unknown_opcode", util::fmt("%d", opcode));
analyzer->Conn()->CheckHistory(zeek::session::detail::HIST_UNKNOWN_PKT, 'X');
return;
}
detail::DNS_MsgInfo msg(hdr, is_query);
detail::DNS_MsgInfo msg(hdr, is_query, is_netbios);
if ( first_message && msg.QR && is_query == 1 ) {
is_query = 0;
@ -98,7 +98,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
// There is a great deal of non-DNS traffic that runs on port 53.
// This should weed out most of it.
if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries ) {
if ( zeek::detail::dns_max_queries > 0 && msg.qd_zo_count > zeek::detail::dns_max_queries ) {
analyzer->AnalyzerViolation("DNS_Conn_count_too_large");
analyzer->Weird("DNS_Conn_count_too_large");
EndMessage(&msg);
@ -110,26 +110,73 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
data += hdr_len;
len -= hdr_len;
if ( msg.is_dynamic_update ) {
if ( msg.qd_zo_count != 1 ) {
// dynamic update events should only have a single zone in them.
analyzer->Weird("DNS_DU_invalid_zone_count", util::fmt("%d", msg.qd_zo_count));
EndMessage(&msg);
return;
}
// Dynamic update looks like this:
// 1. A single "zone" that is just the first three fields of an SOA RR. It's
// required to be an SOA, so a weird is returned if not.
// 2. Zero or more "prerequisite" RRs that are required to be true in the zone
// before updates take place.
// 3. Zero or more "update" RRs that are the updates to be made to the zone.
// 4. Zero or more "additional" RRs that are unrelated to the updates. These are
// handled same to the other additional RRs with other op codes.
if ( ! ParseAnswerHeader(&msg, data, len, msg_start) ) {
EndMessage(&msg);
return;
}
if ( msg.atype != detail::TYPE_SOA ) {
analyzer->Weird("DNS_DU_incorrect_zone_type");
return;
}
StringValPtr zname = msg.query_name;
uint32_t zclass = msg.aclass;
if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_PREREQUISITES, data, len, msg_start) ) {
EndMessage(&msg);
return;
}
if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_UPDATES, data, len, msg_start) ) {
EndMessage(&msg);
return;
}
// Send an event if the first three parts parsed correctly, since they're the
// actual update bits.
if ( dns_dynamic_update )
analyzer->EnqueueConnEvent(dns_dynamic_update, analyzer->ConnVal(), msg.BuildHdrVal(), zname,
val_mgr->Count(zclass));
}
else {
if ( ! ParseQuestions(&msg, data, len, msg_start) ) {
EndMessage(&msg);
return;
}
if ( ! ParseAnswers(&msg, msg.ancount, detail::DNS_ANSWER, data, len, msg_start) ) {
if ( ! ParseAnswers(&msg, msg.an_pr_count, detail::DNS_ANSWER, data, len, msg_start) ) {
EndMessage(&msg);
return;
}
}
analyzer->AnalyzerConfirmation();
bool skip_auth = (zeek::detail::dns_skip_all_auth != 0);
bool skip_addl = (zeek::detail::dns_skip_all_addl != 0);
if ( msg.ancount > 0 ) { // We did an answer, so can potentially skip auth/addl.
if ( msg.an_pr_count > 0 ) { // We did an answer, so can potentially skip auth/addl.
static auto dns_skip_auth = id::find_val<TableVal>("dns_skip_auth");
static auto dns_skip_addl = id::find_val<TableVal>("dns_skip_addl");
auto server = make_intrusive<AddrVal>(analyzer->Conn()->RespAddr());
skip_auth = skip_auth || msg.nscount == 0 || dns_skip_auth->FindOrDefault(server);
skip_auth = skip_auth || msg.ns_up_count == 0 || dns_skip_auth->FindOrDefault(server);
skip_addl = skip_addl || msg.arcount == 0 || dns_skip_addl->FindOrDefault(server);
}
@ -139,11 +186,14 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query) {
return;
}
// Dynamic update doesn't have an authority section.
if ( ! msg.is_dynamic_update ) {
msg.skip_event = skip_auth;
if ( ! ParseAnswers(&msg, msg.nscount, detail::DNS_AUTHORITY, data, len, msg_start) ) {
if ( ! ParseAnswers(&msg, msg.ns_up_count, detail::DNS_AUTHORITY, data, len, msg_start) ) {
EndMessage(&msg);
return;
}
}
if ( skip_addl ) {
// No point doing further work parsing the message.
@ -166,7 +216,7 @@ void DNS_Interpreter::EndMessage(detail::DNS_MsgInfo* msg) {
}
bool DNS_Interpreter::ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
int n = msg->qdcount;
int n = msg->qd_zo_count;
while ( n > 0 && ParseQuestion(msg, data, len, msg_start) )
--n;
@ -201,7 +251,7 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat
if ( msg->QR == 0 )
dns_event = dns_request;
else if ( msg->QR == 1 && msg->ancount == 0 && msg->nscount == 0 && msg->arcount == 0 )
else if ( msg->QR == 1 && msg->an_pr_count == 0 && msg->ns_up_count == 0 && msg->arcount == 0 )
// Service rejected in some fashion, and it won't be reported
// via a returned RR because there aren't any.
dns_event = dns_rejected;
@ -229,7 +279,8 @@ bool DNS_Interpreter::ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& dat
return true;
}
bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
bool DNS_Interpreter::ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len,
const u_char* msg_start) {
u_char name[513];
int name_len = sizeof(name) - 1;
@ -249,6 +300,14 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
msg->query_name = make_intrusive<StringVal>(new String(name, name_end - name, true));
msg->atype = static_cast<detail::RR_Type>(ExtractShort(data, len));
msg->aclass = ExtractShort(data, len);
return true;
}
bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start) {
if ( ! ParseAnswerHeader(msg, data, len, msg_start) )
return false;
msg->ttl = ExtractLong(data, len);
auto rdlength = ExtractShort(data, len);
@ -256,7 +315,24 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
analyzer->Weird("DNS_truncated_RR_rdlength_lt_len");
return false;
}
else if ( rdlength == 0 && len > 0 ) {
if ( msg->is_dynamic_update ) {
// Read length and ttl can both be zero for dynamic updates, but only if the class is ANY or NONE.
if ( rdlength == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) {
analyzer->Weird("DNS_zero_rdlength_update");
return false;
}
else if ( msg->ttl == 0 && msg->aclass != DNS_CLASS_ANY && msg->aclass != DNS_CLASS_NONE ) {
analyzer->Weird("DNS_zero_ttl_update");
return false;
}
}
if ( rdlength == 0 && len > 0 ) {
if ( msg->is_dynamic_update )
// See above for when this isn't allowed.
return true;
analyzer->Weird("DNS_zero_rdlength");
return false;
}
@ -392,6 +468,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
// Found terminating label.
return false;
// If the label length is 0xc0, this is a pointer to another spot in the packet data.
if ( (label_len & 0xc0) == 0xc0 ) {
auto offset = (label_len & ~0xc0) << 8;
@ -422,6 +499,7 @@ bool DNS_Interpreter::ExtractLabel(const u_char*& data, int& len, u_char*& name,
name_len -= name_end - name;
name = name_end;
// Returning false here causes the loop in ExtractName to exit.
return false;
}
@ -1789,7 +1867,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHand
val_mgr->Count(qtype), val_mgr->Count(qclass), make_intrusive<StringVal>(original_name));
}
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_is_query) {
DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query, bool arg_is_netbios)
: is_query(arg_is_query), is_netbios(arg_is_netbios) {
// ### Need to fix alignment if hdr is misaligned (not on a short boundary).
uint16_t flags = ntohs(hdr->flags);
@ -1804,12 +1883,13 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool arg_is_query) : is_query(arg_i
CD = (flags & 0x0010) >> 4;
rcode = (flags & 0x000f);
qdcount = ntohs(hdr->qdcount);
ancount = ntohs(hdr->ancount);
nscount = ntohs(hdr->nscount);
qd_zo_count = ntohs(hdr->qd_zo_count);
an_pr_count = ntohs(hdr->an_pr_count);
ns_up_count = ntohs(hdr->ns_up_count);
arcount = ntohs(hdr->arcount);
id = ntohs(hdr->id);
is_dynamic_update = (opcode == DNS_OP_DYNAMIC_UPDATE && ! is_netbios);
}
RecordValPtr DNS_MsgInfo::BuildHdrVal() {
@ -1827,10 +1907,11 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal() {
r->Assign(8, Z);
r->Assign(9, static_cast<bool>(AD));
r->Assign(10, static_cast<bool>(CD));
r->Assign(11, qdcount);
r->Assign(12, ancount);
r->Assign(13, nscount);
r->Assign(11, qd_zo_count);
r->Assign(12, an_pr_count);
r->Assign(13, ns_up_count);
r->Assign(14, arcount);
r->Assign(15, is_netbios);
return r;
}

35
src/analyzer/protocol/dns/DNS.h
View file

@ -15,6 +15,10 @@ enum DNS_Opcode : uint8_t {
// DNS_OP_SERVER_STATUS = 3, ///< server status request
DNS_OP_SERVER_STATUS = 2, ///< server status request
DNS_OP_NOTIFY = 4, ///< RFC 1996
DNS_OP_DYNAMIC_UPDATE = 5, ///< RFC 2136
DNS_OP_DSO = 6, ///< RFC 8490
// Netbios operations (query = 0).
NETBIOS_REGISTRATION = 5,
NETBIOS_RELEASE = 6,
@ -29,6 +33,11 @@ enum DNS_Code : uint16_t {
DNS_CODE_NAME_ERR = 3, ///< no such domain
DNS_CODE_NOT_IMPL = 4, ///< not implemented
DNS_CODE_REFUSED = 5, ///< refused
DNS_CODE_YXDOMAIN = 6, ///< name exists when it should not (RFC 2136)
DNS_CODE_YXRRSET = 7, ///< rr set exists when it should not (RFC 2136)
DNS_CODE_NXRRSET = 8, ///< rr set that should exist does not (RFC 2136)
DNS_CODE_NOTAUTH = 9, ///< server not authoritative for zone (RFC 2136), or not authorized (RFC 8945)
DNS_CODE_NOT_ZONE = 10, ///< name not contained in zone (RFC 2136)
DNS_CODE_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits
};
@ -83,6 +92,7 @@ enum RR_Type : uint16_t {
enum DNS_Class : uint16_t {
DNS_CLASS_IN = 1,
DNS_CLASS_NONE = 254, ///< RFC2136
DNS_CLASS_ANY = 255,
DNS_CLASS_RESERVED = 65535, ///< Force clang-tidy to accept this enum being 16 bits
};
@ -92,6 +102,8 @@ enum DNS_AnswerType : uint8_t {
DNS_ANSWER,
DNS_AUTHORITY,
DNS_ADDITIONAL,
DNS_PREREQUISITES,
DNS_UPDATES,
};
// https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
@ -162,9 +174,9 @@ enum SVCPARAM_Key : uint8_t {
struct DNS_RawMsgHdr {
uint16_t id;
uint16_t flags;
uint16_t qdcount;
uint16_t ancount;
uint16_t nscount;
uint16_t qd_zo_count;
uint16_t an_pr_count;
uint16_t ns_up_count;
uint16_t arcount;
};
@ -282,9 +294,9 @@ struct SVCB_DATA {
VectorValPtr svc_params;
};
class DNS_MsgInfo {
class DNS_MsgInfo final {
public:
DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query);
DNS_MsgInfo(DNS_RawMsgHdr* hdr, bool is_query, bool is_netbios);
RecordValPtr BuildHdrVal();
RecordValPtr BuildAnswerVal();
@ -314,16 +326,18 @@ public:
uint8_t Z; ///< 3 bit field (includes AD and CD)
bool AD; ///< authentic data
bool CD; ///< checking disabled
uint16_t qdcount; ///< number of questions
uint16_t ancount; ///< number of answers
uint16_t nscount; ///< number of authority RRs
uint16_t qd_zo_count; ///< number of questions (or zones for dynamic update)
uint16_t an_pr_count; ///< number of answers (or prerequisites for dynamic update)
uint16_t ns_up_count; ///< number of authority RRs (or updates for dynamic update)
uint16_t arcount; ///< number of additional RRs
bool is_query = false; ///< whether it came from the session initiator
bool skip_event = false; ///< if true, don't generate corresponding events
bool is_dynamic_update = false; ///< whether this message is a dynamic update
bool is_netbios = false; ///< whether this request is from netbios
StringValPtr query_name;
RR_Type atype = TYPE_ALL;
int aclass = 0; ///< normally = 1, inet
uint16_t aclass = 0; ///< normally = 1, inet
uint32_t ttl = 0;
DNS_AnswerType answer_type = DNS_QUESTION;
@ -337,7 +351,7 @@ public:
void Timeout() {}
protected:
private:
void EndMessage(detail::DNS_MsgInfo* msg);
bool ParseQuestions(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
@ -345,6 +359,7 @@ protected:
int& len, const u_char* start);
bool ParseQuestion(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
bool ParseAnswerHeader(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* msg_start);
bool ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, const u_char* start);
u_char* ExtractName(const u_char*& data, int& len, u_char* label, int label_len, const u_char* msg_start,

13
src/analyzer/protocol/dns/events.bif
View file

@ -836,3 +836,16 @@ event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_r
## dns_rejected dns_request dns_max_queries dns_session_timeout
## dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
event dns_end%(c: connection, msg: dns_msg%);
## Generated for DNS Dynamic Update messages. See `RFC for Dynamic Updates in the Domain Name System (DNS UPDATE) <https://datatracker.ietf.org/doc/html/rfc2136`__
## for more information about Dynamic Updates.
##
## c: The connection, which may be UDP or TCP depending on the type of the
## transport-layer session being analyzed.
##
## msg: The parsed DNS message header.
##
## zname: The name from the Zone section of the message.
##
## zclass: The class from the Zone section of the message.
event dns_dynamic_update%(c: connection, msg: dns_msg, zname: string, zclass: count%);

10
testing/btest/Baseline/core.ipv6-frag/dns.log
View file

@ -5,9 +5,9 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51850 2607:f740:b::f93 53 udp 3903 0.079300 txtpadding_323.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F 0 query
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 5.084025 txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT 0 NOERROR T F T F 0 TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 1.000000 F 0 query
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 2001:470:1f11:81f:d138:5f55:6d4:1fe2 51851 2607:f740:b::f93 53 udp 40849 - txtpadding_3230.n1.netalyzr.icsi.berkeley.edu 1 C_INTERNET 16 TXT - - F F T F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/core.tunnels.gre-over-udp/dns.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 63844 0.054238 zeek.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 192.0.78.150,192.0.78.212 52.000000,52.000000 F 0 query
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.17.0.2 51714 1.1.1.1 53 udp 12391 - zeek.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.44.3 40768 8.8.8.8 53 udp 42540 - xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/core.tunnels.gre/dns.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 66.59.111.190 37675 172.28.2.3 53 udp 48554 - www.gleeble.org 1 C_INTERNET 255 * - - F F T F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp 27595 - abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.131.24.6 2152 195.178.38.3 53 udp 27595 - abcd.efg.hijklm.nm 1 C_INTERNET 1 A - - F F T F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -100,6 +100,8 @@ connection {
* answers: vector of string, log=T, optional=T
* id: record conn_id, log=T, optional=F
conn_id { ... }
* opcode: count, log=T, optional=T
* opcode_name: string, log=T, optional=T
* proto: enum transport_proto, log=T, optional=F
* qclass: count, log=T, optional=T
* qclass_name: string, log=T, optional=T

72
testing/btest/Baseline/opt.basic/dns.log
View file

@ -5,40 +5,40 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp 42996 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp 26428 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp 26096 0.000392 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp 31201 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp 39814 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp 56376 0.000375 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp 51988 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp 1085 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp 10729 0.000421 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp 56663 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp 41417 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp 49233 0.000423 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp 17147 0.000402 meta.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org 723.000000,593.000000 F
XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp 16954 0.000374 meta.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org,208.80.152.2 723.000000,593.000000,2141.000000 F
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local 1 C_INTERNET 33 SRV - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F
XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp 0 - gomez._sftp-ssh._tcp.local 1 C_INTERNET 16 TXT - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65398 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F
XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp 9321 - WORKGROUP 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 141.142.220.118 43927 141.142.2.2 53 udp 42996 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 141.142.220.118 37676 141.142.2.2 53 udp 26428 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 141.142.220.118 40526 141.142.2.2 53 udp 26096 0.000392 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 141.142.220.118 32902 141.142.2.2 53 udp 31201 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 141.142.220.118 59816 141.142.2.2 53 udp 39814 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 141.142.220.118 59714 141.142.2.2 53 udp 56376 0.000375 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 141.142.220.118 58206 141.142.2.2 53 udp 51988 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 141.142.220.118 38911 141.142.2.2 53 udp 1085 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 141.142.220.118 59746 141.142.2.2 53 udp 10729 0.000421 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 141.142.220.118 45000 141.142.2.2 53 udp 56663 - upload.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 141.142.220.118 48479 141.142.2.2 53 udp 41417 - upload.wikimedia.org.ncsa.uiuc.edu 1 C_INTERNET 28 AAAA 3 NXDOMAIN F F T F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 141.142.220.118 48128 141.142.2.2 53 udp 49233 0.000423 upload.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 upload.pmtpa.wikimedia.org,208.80.152.3 124.000000,2156.000000 F 0 query
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 141.142.220.118 56056 141.142.2.2 53 udp 17147 0.000402 meta.wikimedia.org 1 C_INTERNET 28 AAAA 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org 723.000000,593.000000 F 0 query
XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 141.142.220.118 55092 141.142.2.2 53 udp 16954 0.000374 meta.wikimedia.org 1 C_INTERNET 1 A 0 NOERROR F F T T 0 text.wikimedia.org,text.pmtpa.wikimedia.org,208.80.152.2 723.000000,593.000000,2141.000000 F 0 query
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 141.142.220.202 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local 1 C_INTERNET 33 SRV - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h fe80::217:f2ff:fed7:cf65 5353 ff02::fb 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F 0 query
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 141.142.220.50 5353 224.0.0.251 5353 udp 0 - gemini._sftp-ssh._tcp.local - - - - 0 NOERROR T F F F 0 gemini.local 120.000000 F 0 query
XXXXXXXXXX.XXXXXX Cipfzj1BEnhejw8cGf 141.142.220.44 5353 224.0.0.251 5353 udp 0 - gomez._sftp-ssh._tcp.local 1 C_INTERNET 16 TXT - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65394 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65390 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CV5WJ42jPYbNW9JNWf 141.142.220.226 137 141.142.220.255 137 udp 65398 - BRWC0CB383D1F42 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CPhDKt12KQPUVbQz06 fe80::3074:17d5:2052:c324 65373 ff02::1:3 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CAnFrb2Cvxr5T7quOc 141.142.220.226 55131 224.0.0.252 5355 udp 17952 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX C8rquZ3DjgNW06JGLl fe80::3074:17d5:2052:c324 54213 ff02::1:3 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CzrZOtXqhwwndQva3 141.142.220.226 55671 224.0.0.252 5355 udp 47948 - brwc0cb383d1f42 1 C_INTERNET 1 A - - F F F F 0 - - F 0 query
XXXXXXXXXX.XXXXXX CaGCc13FffXe6RkQl9 141.142.220.238 56641 141.142.220.255 137 udp 9321 - WORKGROUP 1 C_INTERNET 32 NIMLOC - - F F T F 1 - - F 0 netbios-query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F - -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.74 51871 10.87.1.10 53 udp 27571 0.002004 example.net 1 C_INTERNET 65534 query-65534 0 NOERROR T F T T 2 BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal 0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000 F 0 query - -
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.6.10 53209 192.168.129.36 53 udp 41477 0.075138 paypal.com 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 1 DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com 455.000000,455.000000,455.000000,455.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 22666 0.018166 upenn.edu 1 C_INTERNET 48 DNSKEY 0 NOERROR F F T T 2 DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu 5.000000,5.000000,5.000000,3444.000000,3444.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.153.129 50729 192.168.153.2 53 udp 39080 0.017821 upenn.edu 1 C_INTERNET 43 DS 0 NOERROR F F T T 2 DS 5 1,DS 5 2,RRSIG 43 edu 5.000000,5.000000,5.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 0.000214 www.cmu.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F 0 query
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 55.247.223.174 27285 222.195.43.124 53 udp 21140 - www.cmu.edu - - - - 0 NOERROR T F F F 0 www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163 86400.000000,86400.000000,5.000000,21600.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

5
testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/out Normal file
View file

@ -0,0 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[id=47952, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET
[id=47952, opcode=5, rcode=5, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=1, is_netbios=F], stratolab.org, 1, C_INTERNET
[id=61191, opcode=5, rcode=0, QR=F, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET
[id=61191, opcode=5, rcode=0, QR=T, AA=F, TC=F, RD=F, RA=F, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=3, num_addl=0, is_netbios=F], stratolab.org, 1, C_INTERNET

12
testing/btest/Baseline/scripts.base.protocols.dns.dynamic-update/weird.log
View file

@ -1,12 +0,0 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer source
#types time string addr port addr port string string bool string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.105 62763 192.168.1.108 53 DNS_unknown_opcode 5 F zeek DNS
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.20.1.31 53 207.158.192.40 53 udp 25701 - us.v27.distributed.net - - - - 0 NOERROR T F F T 0 206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226 900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows
HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1, is_netbios=F], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows

6
testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 79.141.82.250 57483 192.188.22.52 53 udp 33295 0.000195 sunn-pt1.es.net 1 C_INTERNET 255 * 0 NOERROR T F F F 0 LOC: 18 21 19,RRSIG 29 es.net 600.000000,600.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.150.187.50 51946 68.142.255.16 53 udp 28079 - flkr._domainkey.flickr.com - - - - 0 NOERROR T F F F 0 fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB 900.000000,900.000000,7200.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

2
testing/btest/Baseline/scripts.base.protocols.dns.naptr/out
View file

@ -1,2 +1,2 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog]
NAPTR, [id=20970, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=0, is_netbios=F], [answer_type=1, query=fp-de-carrier-vodafone.rcs.telephony.goog, qtype=35, qclass=1, TTL=2.0 mins 48.0 secs], [order=100, preference=100, flags=s, service=SIPS+D2T, regexp=, replacement=_sips._tcp.fp-de-carrier-vodafone.rcs.telephony.goog]

8
testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F - -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 57073 128.175.13.16 53 udp 130 - dla.library.upenn.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F F F 1 - - F 0 query RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 50693 128.175.13.16 53 udp 51063 0.001515 www.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 www.upenn.edgekey.net,RRSIG 5 upenn.edu 300.000000,300.000000 F 0 query - -
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.102 49324 192.168.1.1 53 udp 9835 - foobar.sshfp.net 1 C_INTERNET 1 A 3 NXDOMAIN F F T F 2 - - F 0 query ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net -
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F - -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 53540 10.87.1.54 53 udp 15626 0.522010 sshfp.net 1 C_INTERNET 51 NSEC3PARAM 0 NOERROR F F T T 2 NSEC3PARAM 0.000000 F 0 query - -
#close XXXX-XX-XX-XX-XX-XX

12
testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log
View file

@ -5,10 +5,10 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 35.184.172.191 10267 128.175.13.16 53 udp 17129 0.003405 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 35.184.172.191 50056 128.175.13.16 53 udp 26222 0.003363 virgo.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 128.91.234.142,RRSIG 1 upenn.edu 30.000000,30.000000 F 0 query
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 35.184.172.191 39975 128.175.13.16 53 udp 27118 0.003748 workfamily.sas.upenn.edu 1 C_INTERNET 1 A 0 NOERROR T F F F 1 quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu 900.000000,900.000000,30.000000,30.000000 F 0 query
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 35.184.172.191 5386 128.175.13.16 53 udp 62809 - virgo.sas.upenn.edu 1 C_INTERNET 1 A - - F F F F 1 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.91.0.62 57806 10.91.1.59 53 udp 64161 - mail.vladg.net - - - - 0 NOERROR F F F T 0 SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all 300.000000,300.000000 F 0 query
#close XXXX-XX-XX-XX-XX-XX

8
testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log
View file

@ -5,8 +5,8 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 128.3.121.180 54109 192.188.22.52 53 udp 40916 0.000200 mon.lbl.gov 1 C_INTERNET 44 SSHFP 0 NOERROR T F F F 1 SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov 43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000 F 0 query
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 128.3.121.180 54109 192.188.22.52 53 udp 22044 - n0019.savio1.lbl.gov 1 C_INTERNET 1 A 3 NXDOMAIN F F F F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.106 50138 192.168.1.108 53 tcp 52640 - 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5 1 C_INTERNET 249 TKEY 0 NOERROR F F F F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F - -
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name auth addl
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string set[string] set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.87.3.18 60059 10.87.1.10 53 udp 63119 0.001993 zeek.example.net 1 C_INTERNET 11 WKS 0 NOERROR T F T T 2 - - F 0 query - -
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.0.64 49204 146.186.163.66 53 udp 17323 - psu.edu 1 C_INTERNET 28 AAAA 0 NOERROR F F T F 0 - - F 0 query
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log
View file

@ -5,7 +5,7 @@
#unset_field -
#path dns
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected original_query
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F Us.V27.DiStRiBuTeD.NET
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected opcode opcode_name original_query
#types time string addr port addr port enum count interval string count string count string count string bool bool bool bool count vector[string] vector[interval] bool count string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.3.138 63374 192.168.3.1 53 udp 20877 - us.v27.distributed.net 1 C_INTERNET 1 A - - F F T F 2 - - F 0 query Us.V27.DiStRiBuTeD.NET
#close XXXX-XX-XX-XX-XX-XX

12
testing/btest/scripts/base/protocols/dns/dynamic-update.zeek
View file

@ -1,6 +1,12 @@
# @TEST-DOC: Tests that a DNS dynamic update packet doesn't error but reports an unknown opcode weird
# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT
# @TEST-EXEC: btest-diff weird.log
# @TEST-DOC: Tests that a DNS dynamic update packet is processed.
# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dynamic-update.pcap %INPUT >out 2>&1
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: ! test -f weird.log
@load base/frameworks/notice/weird
@load base/protocols/dns
event dns_dynamic_update(c: connection, msg: dns_msg, zname: string, zclass: count)
{
print msg, zname, zclass, DNS::classes[zclass];
}

2
testing/external/commit-hash.zeek-testing vendored
View file

@ -1 +1 @@
31094f4840d0abc8fdf7f810e281851bd057931b
0f0a78fbe0bc690bede40da17d30c1fd2db273c6

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
2b90a083a2b35a2a3c1d71ff92318c7a11263cd6
80860e185460d347c969c04977fa7e99dff9eaab