[Yeti DNS Discuss] dnscap losing packets?

[Shane Kerr]

Stephane,

On Mon, 15 Jun 2015 21:53:30 +0200
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Fri, Jun 12, 2015 at 07:23:14AM -0700,
>  Paul Vixie <paul at redbarn.org> wrote 
>  a message of 4 lines which said:
> 
> > the latest dnscap is duane's fork
> > (https://github.com/verisign/dnscap)
> 
> I tried this one, which is now running on dahu1.yeti.eu.org. At first
> glance, no change (I leave it running to see if it gets better).
> 
> Seen by 'tcpdump -i eth1 -n port 53':
> 
> 19:41:08.652076 IP6 2a01:e35:8bd9:8bb0:666:6c7c:9bed:b390.44677 > 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53: 25748+ [1au] SOA? . (28)
> 19:41:08.652292 IP6 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53 > 2a01:e35:8bd9:8bb0:666:6c7c:9bed:b390.44677: 25748*- 2/8/8 SOA, RRSIG (789)
> 
> Seen by 'dnscap -1  -g  -m qun  -i eth1 -6 -T -f' at the same moment
> (the query is lost):

If you run dnscap with a few "-d" arguments, then it will tell you the
bpf rule that it is using:

$ sudo ./dnscap -1  -g  -m qun  -i eth1 -6 -T -f -ddd
dnscap: version V1.0-OARC-r%d (%s)
dnscap: msg QUN, side IR, hide .., err NYtfsxir, t 0, c 0
dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )"
dnscap: pcap open: eth1: No such device exists (SIOCGIFHWADDR: No such device)

(I cut & pasted your run, added "-ddd". It failed because this VM
doesn't happen to have eth1... which is fine for what I want here. :)

What would be interesting to me is to see if you get the same results
if you copy the filter rule to tcpdump:

$ sudo tcpdump -i eth1 -U ""( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )"

As far as I understand things, this should basically be using the same
libpcap filtering and give the same results...

Cheers,

--
Shane