This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Questions about Verbose DNS Parser

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-12-16 06:58 PM

I have a few questions above a DNS Verbose parser I got from Netwitness.

 

The version I have is 2012-04-18.1.  Is there a new version?

 

I added the dns.querytype and dns.responsetype in my investigator-index.xml.

 

When I've tested it, I only get responsetype meta data, no querytype meta data.

Is this a problem anyone has seen before?

 

It uses a Stream match, <match name="streamBegin">

 

As I understand the way parsing works, there is a request Stream and a response Stream.  Together these two Streams make up a session.

With the Stream match in this parser, will it match a request Stream, response Stream or both?

 

There is a comment in this parser that performance may be an issue because it does a meta call back to determine if it is TCP or UDP.  Could the meta call back be removed if you only want to parse UDP DNS traffic?

Would that eliminiate the performance concerns.

 

All help appreciated.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-12-26 01:44 PM

Sorry, I can't speak to the missing querytype meta data at them moment, but will try and clarify some of your other questsion.

 

The "streamBegin" match will be called for both the request and reposnse streams if both are present.

 

While the check for the IP protocol represents overhead that is incurred for all sessions that the decoder parses, removing it will not elimanate most of the performance concerns of this particular parser.  The DNS verbose parser is intended to provide additional detail over what the default DNS parser does where performance considerations are not an issue.

 

That said, the check for UDP/TCP could be removed and the protocol variable hard coded to 17 (to avoid TCP specific logic) if only UDP sessions are present.

 


View solution in original post

0 Likes
1 REPLY 1

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-12-26 01:44 PM

Sorry, I can't speak to the missing querytype meta data at them moment, but will try and clarify some of your other questsion.

 

The "streamBegin" match will be called for both the request and reposnse streams if both are present.

 

While the check for the IP protocol represents overhead that is incurred for all sessions that the decoder parses, removing it will not elimanate most of the performance concerns of this particular parser.  The DNS verbose parser is intended to provide additional detail over what the default DNS parser does where performance considerations are not an issue.

 

That said, the check for UDP/TCP could be removed and the protocol variable hard coded to 17 (to avoid TCP specific logic) if only UDP sessions are present.

 


0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.