[Yeti DNS Discuss] dnscap losing packets?

龚道彪 dbgong at biigroup.cn
Thu Jun 18 03:39:00 UTC 2015 

Hi Paul and Stephane,


maybe I found the reason.
when your host is multihomed,   dnscap will only capture on one NIC


eg:
eth0: 240c:f::11(nameserver address)
eth1: 240c:e::12    gateway 240c:e::1


dump:
./dnscap -m qun  -i eth0 -w eth0&
./dnscap -m qun  -i eth1 -w eth1&


dns query: 
dig @240c:f::11 . ns


pkill dnscap


result on pcap file:
eth0: get the query only
eth1: get the response only


Stephane, is your host multihomed?


 ---
Kevin
BII
 
------------------ Original ------------------
From:  "Paul Vixie"<paul at redbarn.org>;
Date:  Wed, Jun 17, 2015 10:07 PM
To:  "Stephane Bortzmeyer"<bortzmeyer at nic.fr>; 
Cc:  "discuss"<discuss at lists.yeti-dns.org>; 
Subject:  Re: [Yeti DNS Discuss] dnscap losing packets?

 


Stephane Bortzmeyer wrote:
> On Tue, Jun 16, 2015 at 11:17:08AM +0000,
>  Shane Kerr <shane at biigroup.cn> wrote 
>  a message of 48 lines which said:
>
>> What would be interesting to me is to see if you get the same
>> results if you copy the filter rule to tcpdump:
>
> Cute idea but it failed.

i think it succeeded. you've got a test case for an obvious bug. would
you mind trying this in a pure ipv4 environment and letting us know if
this bug is ipv6-only?

also, the github.com/verisign version is open source, so if you develop
a fix for this bug before i do, i'll help you get it committed.

re:

> % sudo dnscap -1  -g  -m qun  -i eth1 -6 -T -ddd -f
> [sudo] password for stephane: 
> dnscap: version V1.0-OARC-r%d (%s)
> dnscap: msg QUN, side IR, hide .., err NYtfsxir, t 0, c 0
> dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )"
> ...
> [691] 2015-06-17 12:09:45.060136 [#5 eth1 0] \
>         [2001:4b98:dc2:45:216:3eff:fe4b:8c5b].53 [2001:67c:1348:7::86:133].52653  \
>         dns QUERY,NOERROR,3298,qr|rd \
>         1 va,IN,NS 0 \
>         8 va,IN,NS,172800,va.cctld.authdns.ripe.net \
>         va,IN,NS,172800,dns.nic.it \
>         va,IN,NS,172800,john.vatican.va \
>         va,IN,NS,172800,seth.namex.it \
>         va,IN,NS,172800,osiris.namex.it \
>         va,IN,NS,172800,michael.vatican.va \
>         va,IN,47,86400,[19] \
>         va,IN,46,86400,[147] \
>         13 va.cctld.authdns.ripe.net,IN,A,172800,193.0.9.123 \
>         dns.nic.it,IN,A,172800,192.12.192.5 \
>         john.vatican.va,IN,A,172800,212.77.0.110 \
> ...
>
> [Only the answer]
>
> % sudo tcpdump -i eth1 -n '( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 ) or ( udp port 53) ) ) )'
> ...
> 12:09:45.059867 IP6 2001:67c:1348:7::86:133.52653 > 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53: 3298+ [1au] NS? va. (31)
> 12:09:45.060136 IP6 2001:4b98:dc2:45:216:3eff:fe4b:8c5b.53 > 2001:67c:1348:7::86:133.52653: 3298- 0/8/13 (643)
>
> [Answer and query]
>
> _______________________________________________
> discuss mailing list
> discuss at lists.yeti-dns.org
> http://lists.yeti-dns.org/mailman/listinfo/discuss

-- 
Paul Vixie
_______________________________________________
discuss mailing list
discuss at lists.yeti-dns.org
http://lists.yeti-dns.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20150618/37e700aa/attachment.html>

More information about the discuss mailing list