[Yeti DNS Discuss] dnscap losing packets?
shane at biigroup.cn
Tue Jun 16 11:17:08 UTC 2015
On Mon, 15 Jun 2015 21:53:30 +0200
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Fri, Jun 12, 2015 at 07:23:14AM -0700,
> Paul Vixie <paul at redbarn.org> wrote
> a message of 4 lines which said:
> > the latest dnscap is duane's fork
> > (https://github.com/verisign/dnscap)
> I tried this one, which is now running on dahu1.yeti.eu.org. At first
> glance, no change (I leave it running to see if it gets better).
> Seen by 'tcpdump -i eth1 -n port 53':
> 19:41:08.652076 IP6 2a01:e35:8bd9:8bb0:666:6c7c:9bed:b390.44677 > 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53: 25748+ [1au] SOA? . (28)
> 19:41:08.652292 IP6 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53 > 2a01:e35:8bd9:8bb0:666:6c7c:9bed:b390.44677: 25748*- 2/8/8 SOA, RRSIG (789)
> Seen by 'dnscap -1 -g -m qun -i eth1 -6 -T -f' at the same moment
> (the query is lost):
If you run dnscap with a few "-d" arguments, then it will tell you the
bpf rule that it is using:
$ sudo ./dnscap -1 -g -m qun -i eth1 -6 -T -f -ddd
dnscap: version V1.0-OARC-r%d (%s)
dnscap: msg QUN, side IR, hide .., err NYtfsxir, t 0, c 0
dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6 = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )"
dnscap: pcap open: eth1: No such device exists (SIOCGIFHWADDR: No such device)
(I cut & pasted your run, added "-ddd". It failed because this VM
doesn't happen to have eth1... which is fine for what I want here. :)
What would be interesting to me is to see if you get the same results
if you copy the filter rule to tcpdump:
$ sudo tcpdump -i eth1 -U ""( ( ip[6:2] & 0x1fff != 0 or ip6 = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )"
As far as I understand things, this should basically be using the same
libpcap filtering and give the same results...
More information about the discuss