Year of Python (YOP) – Week Forty Six

16Nov15

Hello Reader!

This week we continue our Windows DNS log parsing script.  Most of this script consists of the functions I created to parse the data.

First up is the function that parses out the Opcode field of the log.  This field has four possible options, and I’m just taking the value in the log and then returning what it means.  As always the easiest way to store this information is in a dictionary.

# This parses the opcode value
def dns_opcode_parse(opcode):
    dns_opcode = { "Q" : "Standard Query",
                   "N" : "Notify",
                   "U" : "Update",
                   "?" : "Unknown"}
    opcode = dns_opcode[opcode]
return opcode

The next function in this script parses out the DNS Flag Character codes in the log file.  Again I’m following the same formula as before, using a dictionary to track the possible values.  However, the added trick here, is you can have more than one value in that field.  So what I’m doing is breaking out the different characters in the field, looking them up in the dictionary, and then returning all the values.

# This parses the DNS Flag Character codes
def dns_flags_parse(flag):
    dns_flags = { "A" : "Authoritative Answer",
                  "T" : "Truncated Response",
                  "D" : "Recursion Desired",
                  "R" : "Recursion Available"}
    flaglist = list(flag)
    flag_values = []
    for flag_letter in flaglist:
        flag_values.append(dns_flags[flag_letter])
return flag_values

Next up is a function to deal with the DNS question name, the last field in each line of the log.  I was looking to make it easier to read, so I’m removing the ()’s and the numbers contained within, and replacing them with periods.  When I return the result, I’m stripping off the first period that comes at the start of that field.

# This removes the (#) from the hostnames and replaces them with periods
def dns_question_name_parse(dns_name):
    fix_dns_name = re.sub('\(\d+\)', '.', dns_name)
return fix_dns_name[1:]

Finally, the last function goes through and parses each line of the log file.  This was tricky to put together, and it may not catch everything.  The issue with the log is that in some cases, the number of fields per line changes based on the DNS Query Response field.  It only has two values, being blank or a “Q”.  To determine if the field is blank, I have to see if that field is a “Q”, if it is then I’m assuming the Query Response code value is blank, so I have to shift everything over one.

I also have to look at the Response Code value.  Based on what that is determines what fields may be in the remainder of the line.

(I’m not posting the snippet of this section of code since it’s so long)

And then I wrap up the script by going through the log, parsing out the fields, and then writing it to a CSV file.

Until next week!

https://github.com/CdtDelta/YOP

Advertisements


No Responses Yet to “Year of Python (YOP) – Week Forty Six”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: