DNS Chain¶
This module contains the DNSChain flow analysis chain which can be used by PATHspider’s Observer for recording Domain Name System [RFC1035] details.
-
class
pathspider.chains.dns.
DNSChain
[source]¶ This flow analysis chain records details from Domain Name System application data.
Field Name Type Meaning dns_response_valid
bool The flow contained a valid DNS response -
new_flow
(rec, ip)[source]¶ For a new flow, all fields will be initialised to
False
.Parameters: - rec (dict) – the flow record
- ip (plt.ip or plt.ip6) – the IP or IPv6 packet that triggered the creation of a new flow record
Returns: Always
True
Return type: bool
-
tcp
(rec, tcp, rev)[source]¶ Records DNS details from TCP segment.
- DNS Response
- If the packet contains a payload, an attempt is made to parse it
and if successful the
dns_response_valid
field is set toTrue
if it was a response (not a query).
Parameters: - rec (dict) – the flow record
- tcp – the TCP packet that was observed to be part of this flow
- rev (bool) –
True
if the packet was in the reverse direction,False
if in the forward direction
Returns: False
if a valid DNS response has been seen, otherwiseTrue
Return type: bool
-
udp
(rec, udp, rev)[source]¶ Records DNS details from UDP datagram.
- DNS Response
- If the packet contains a payload, an attempt is made to parse it
and if successful the
dns_response_valid
field is set toTrue
if it was a response (not a query).
Parameters: - rec (dict) – the flow record
- tcp – the UDP packet that was observed to be part of this flow
- rev (bool) –
True
if the packet was in the reverse direction,False
if in the forward direction
Returns: False
if a valid DNS response has been seen, otherwiseTrue
Return type: bool
-