Best Guess log ports flipped

[ee-hex-ee]

My results in bestguess.log are backward. The instances I have matching are destination port 53 and source port 44818. This is flagging ENIP/Rockwell traffic for some reason where this is actually DNS information in the log itself.

Log included below:

_id | 240607-05oaX25Uxhve6rY1BowhNA
_index | arkime_sessions3-240607
_score | 1
_type | -
agent.name | redacted
destination.as.full | AS15169 Google LLC
destination.geo.continent_code | NA
destination.geo.country_code2 | US
destination.geo.country_code3 | US
destination.geo.country_iso_code | US
destination.geo.country_name | United States
destination.geo.ip | 8.8.4.4
destination.geo.latitude | 37.751
destination.geo.location | {   "lon": -97.822,   "lat": 37.751 }
destination.geo.longitude | -97.822
destination.geo.timezone | America/Chicago
destination.ip | 8.8.4.4
destination.ip_reverse_dns | dns.google
destination.port | 53
ecs.version | 8.0.0
event.dataset | bestguess
event.end | Jun 7, 2024 @ 15:22:07.333
event.hash | 05oaX25Uxhve6rY1BowhNA
event.id | CQA9u54A1rzYJDLfIc
event.ingested | Jun 7, 2024 @ 15:27:32.290
event.kind | event
event.provider | zeek
event.risk_score | 20
event.risk_score_norm | 20
event.severity | 20
event.severity_tags | Outbound traffic
event.start | Jun 7, 2024 @ 15:22:07.333
firstPacket | Jun 7, 2024 @ 15:22:07.333
host.name | redacted
ipProtocol | 6
lastPacket | Jun 7, 2024 @ 15:22:07.333
length | 0
log.file.path | bestguess.log
network.direction | outbound
network.iana_number | 6
network.transport | tcp
network.type | ipv4
node | sigmadev
protocol | tcp
related.ip | 192.168.65.50, 8.8.4.4
rootId | CQA9u54A1rzYJDLfIc
source.ip | 192.168.65.50
source.port | 44,818
tags | ics_best_guess
timestamp | Jun 7, 2024 @ 15:22:07.333
zeek.bestguess.category | Rockwell Automation
zeek.bestguess.name | Rockwell Encapsulation
zeek.ts | Jun 7, 2024 @ 15:22:07.333
zeek.uid | CQA9u54A1rzYJDLfIc

Malcolm Version: Malcolm v24.03.1

[ee-hex-ee]

noticed reverse DNS. disregard.