decodedns
Decodes DNS messages from Ethernet frames, extracting the query domain, response IP address, status code, and other data.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
payload | binary | Required | Ethernet frame data. If the field is not binary type, the input record is passed through as-is. |
Output fields
| Field | Type | Description |
|---|---|---|
txid | string | DNS transaction ID (4-digit hexadecimal string) |
src_ip | ipaddr | Source IP address |
src_port | integer | Source port number |
dst_ip | ipaddr | Destination IP address |
dst_port | integer | Destination port number |
direction | string | Communication direction. c->s (client to server) or s->c (server to client) |
bytes | integer | DNS message size in bytes |
type | string | DNS query type. For example: A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT |
domain | string | Query domain name |
status | string | DNS response status: NO_ERROR, FORMAT_ERROR, SERVER_FAILURE, NAME_ERROR, NOT_IMPLEMENTED, REFUSED |
ip | ipaddr | Response IP address of the first A record. Returns null if no A record exists. |
flags | string | DNS flags string (for example: standard query response (RD RA)) |
queries | array | List of DNS query section records. Assigned only when there are 2 or more queries. |
answers | array | List of DNS answer section records. Assigned only when there is 1 or more answer. |
additionals | array | List of DNS additional section records. Assigned only when there is 1 or more additional record. |
authorities | array | List of DNS authority section records. Assigned only when there is 1 or more authority record. |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The decodedns command reads an Ethernet frame from the payload field of each input record and decodes the DNS protocol message. If the payload field is not binary type, the input record is passed through to the next command unchanged.
From the decoded DNS message, the command extracts the source/destination IP and port, communication direction, query type, domain, response status, and the IP address of the first A record. The query, answer, additional, and authority section records are also provided as arrays.
The queries field is assigned only when there are 2 or more query records. The answers, additionals, and authorities fields are each assigned only when there is at least 1 record.
This command supports parallel execution and runs on the Data Node in a distributed environment.
Examples
-
Decoding DNS messages from a PCAP file
pcapfile /opt/logpresso/dns-capture.pcap | decodednsDecodes DNS messages from Ethernet frames read from a PCAP file.
-
Querying DNS queries for a specific domain
pcapfile /opt/logpresso/dns-capture.pcap | decodedns | search domain == "*.example.com" | fields txid, src_ip, domain, type, ip, statusFilters DNS queries for subdomains of
example.comand retrieves key fields. -
Aggregating DNS response status codes
pcapfile /opt/logpresso/dns-capture.pcap | decodedns | search direction == "s->c" | stats count by statusAggregates DNS responses sent from server to client by status code.