Add opcode/opcode_name to DNS log record

scripts/base/protocols/dns/consts.zeek

@@ -194,4 +194,21 @@ export {
 		[5] = "ech",
 		[6] = "ipv6hint",
 	} &default = function(n: count): string { return fmt("key-%d", n); };
+
+	## Mapping of DNS operation type codes to human readable string
+	## representation. The NetBIOS opcodes overlap the standard opcodes,
+	## hence putting the string versions at invalid values to make lookups
+	## possible.
+	const opcodes = {
+		[0] = "query",
+		[1] = "iquery",
+		[2] = "server-status",
+		[4] = "notify",
+		[5] = "dynamic-update",
+		[6] = "dso",
+		[0xFFFF5] = "netbios-registration",
+		[0xFFFF6] = "netbios-release",
+		[0xFFFF7] = "netbios-wack",
+		[0xFFFF8] = "netbios-refresh",
+	} &default = function(n: count): string { return fmt("opcode-%d", n); };
 }

scripts/base/protocols/dns/main.zeek

@@ -71,6 +71,10 @@ export {
 		TTLs:          vector of interval &log &optional;
 		## The DNS query was rejected by the server.
 		rejected:      bool               &log &default=F;
+		## The opcode value of the DNS request/response.
+		opcode:        count              &log &optional;
+		## A descriptive string for the opcode.
+		opcode_name:   string             &log &optional;
 
 		## The total number of resource records in a reply message's
 		## answer section.
@@ -343,11 +347,20 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 		if ( msg$rcode != 0 && msg$num_queries == 0 )
 			c$dns$rejected = T;
 		}
+
+	c$dns$opcode = msg$opcode;
+	if ( msg$is_netbios )
+		if ( msg$opcode >= 5 )
+			c$dns$opcode_name = opcodes[msg$opcode + 0xFFFF];
+		else
+			c$dns$opcode_name = fmt("netbios-%s", opcodes[msg$opcode]);
+	else
+		c$dns$opcode_name = opcodes[msg$opcode];
 	}
 
 event dns_message(c: connection, is_orig: bool, msg: dns_msg, len: count) &priority=5
 	{
-	if ( msg$opcode != 0 )
+	if ( msg$opcode != 0 && msg$opcode != 5 )
 		# Currently only standard queries are tracked.
 		return;