[Yeti DNS Discuss] dnscap losing packets?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Jun 17 12:14:40 UTC 2015
On Tue, Jun 16, 2015 at 11:17:08AM +0000,
Shane Kerr <shane at biigroup.cn> wrote
a message of 48 lines which said:
> What would be interesting to me is to see if you get the same
> results if you copy the filter rule to tcpdump:
Cute idea but it failed.
% sudo dnscap -1 -g -m qun -i eth1 -6 -T -ddd -f
[sudo] password for stephane:
dnscap: version V1.0-OARC-r%d (%s)
dnscap: msg QUN, side IR, hide .., err NYtfsxir, t 0, c 0
dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )"
...
[691] 2015-06-17 12:09:45.060136 [#5 eth1 0] \
[2001:4b98:dc2:45:216:3eff:fe4b:8c5b].53 [2001:67c:1348:7::86:133].52653 \
dns QUERY,NOERROR,3298,qr|rd \
1 va,IN,NS 0 \
8 va,IN,NS,172800,va.cctld.authdns.ripe.net \
va,IN,NS,172800,dns.nic.it \
va,IN,NS,172800,john.vatican.va \
va,IN,NS,172800,seth.namex.it \
va,IN,NS,172800,osiris.namex.it \
va,IN,NS,172800,michael.vatican.va \
va,IN,47,86400,[19] \
va,IN,46,86400,[147] \
13 va.cctld.authdns.ripe.net,IN,A,172800,193.0.9.123 \
dns.nic.it,IN,A,172800,192.12.192.5 \
john.vatican.va,IN,A,172800,212.77.0.110 \
...
[Only the answer]
% sudo tcpdump -i eth1 -n '( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )'
...
12:09:45.059867 IP6 2001:67c:1348:7::86:133.52653 > 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53: 3298+ [1au] NS? va. (31)
12:09:45.060136 IP6 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53 > 2001:67c:1348:7::86:133.52653: 3298- 0/8/13 (643)
[Answer and query]
More information about the discuss
mailing list