AnsweredAssumed Answered

Questions about Verbose DNS Parser

Question asked by RSA Admin Employee on Dec 16, 2012
Latest reply on Dec 26, 2012 by RSA Admin

I have a few questions above a DNS Verbose parser I got from Netwitness.

 

The version I have is 2012-04-18.1.  Is there a new version?

 

I added the dns.querytype and dns.responsetype in my investigator-index.xml.

 

When I've tested it, I only get responsetype meta data, no querytype meta data.

Is this a problem anyone has seen before?

 

It uses a Stream match, <match name="streamBegin">

 

As I understand the way parsing works, there is a request Stream and a response Stream.  Together these two Streams make up a session.

With the Stream match in this parser, will it match a request Stream, response Stream or both?

 

There is a comment in this parser that performance may be an issue because it does a meta call back to determine if it is TCP or UDP.  Could the meta call back be removed if you only want to parse UDP DNS traffic?

Would that eliminiate the performance concerns.

 

All help appreciated.

Outcomes