doc: update docs for DNS flags logging

diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst
index 5a904f43b140f3ef5c28d4127d382e365ac1767b..7f495b0224e67c703ceb5c467c54c84478bb0bdc 100644 (file)
--- a/doc/userguide/output/eve/eve-json-format.rst
+++ b/doc/userguide/output/eve/eve-json-format.rst
@@ -183,7 +183,14 @@ Fields
 Outline of fields seen in the different kinds of DNS events:
 
 * "type": Indicating DNS message type, can be "answer" or "query".
-* "id": <needs explanation>
+* "id": Identifier field
+* "flags": Indicating DNS answer flag, in hexadecimal (ex: 8180 , please note 0x is not output)
+* "qr": Indicating in case of DNS answer flag, Query/Response flag (ex: true if set)
+* "aa": Indicating in case of DNS answer flag, Authoritative Answer flag (ex: true if set)
+* "tc": Indicating in case of DNS answer flag, Truncation flag (ex: true if set)
+* "rd": Indicating in case of DNS answer flag, Recursion Desired flag (ex: true if set)
+* "ra": Indicating in case of DNS answer flag, Recursion Available flag (ex: true if set)
+* "rcode": (ex: NOERROR)
 * "rrname": Resource Record Name (ex: a domain name)
 * "rrtype": Resource Record Type (ex: A, AAAA, NS, PTR)
 * "rdata": Resource Data (ex. IP that domain name resolves to)
@@ -213,6 +220,11 @@ Example of a DNS answer with an IPv4 (resource record type 'A') return:
   "dns": {
       "type": "answer",
       "id":16000,
+      "flags":"8180",
+      "qr":true,
+      "rd":true,
+      "ra":true,
+      "rcode":"NOERROR"
       "rrname": "twitter.com",
       "rrtype":"A",
       "ttl":8,