flows with DNS messages ended due to idle timeout #23
Description
When extracting flows using the following command:
go-flows run features config.json export csv out.csv source libpcap capture.pcap
the flowEndReason for all flows containing DNS query and response messages is idle timeout (1), but end of Flow detected (3) could be assigned after a DNS response is obtained instead of waiting for the end of idle timeout.
To get all DNS flows in out.csv using the Python pandas library:
import pandas as pd
all_flows = pd.read_csv('out.csv')
dns_flows = all_flows[(all_flows['sourceIPAddress']=='192.168.1.195') & (all_flows['destinationIPAddress']=='192.168.1.1') & (all_flows['protocolIdentifier']==17)]
attached files:
- capture.pcap: traffic capture with DNS packets
- config.json: go-flows configuration used to extract flows from capture.pcap
- out.csv: file containing the extracted flows