<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div>Awesome. Thanks for the quick response!</div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Thursday, February 25, 2016 8:42 AM, "Wessels, Duane" <dwessels@verisign.com> wrote:<br></font></div>  <br><br> <div class="y_msg_container">Hellow Shawn,<br clear="none"><br clear="none">The message is coming from this part of the dnscap source code in file dump_dns.c:<br clear="none"><br clear="none">     99         if (ns_initparse(payload, paylen, &msg) < 0) {<br clear="none">    100                 fputs(strerror(errno), trace);<br clear="none">    101                 return;<br clear="none">    102         }<br clear="none"><br clear="none"><br clear="none">so ns_initparse() is returning an error and setting errno = EMSGSIZE;<br clear="none"><br clear="none">Here is one place that you can view the ns_initparse() source code, and you can see that it would return EMSGSIZE in some cases:<br clear="none"><br clear="none"><a shape="rect" href="https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/ns_parse.c;h=712469be1d88c58ad475a432c0468a00b35818fe;hb=refs/heads/release/2.23/master" target="_blank">https://sourceware.org/git/?p=glibc.git;a=blob;f=resolv/ns_parse.c;h=712469be1d88c58ad475a432c0468a00b35818fe;hb=refs/heads/release/2.23/master</a><br clear="none"><br clear="none">DW<br clear="none"><br clear="none"><br clear="none"><div class="yqt2924715007" id="yqtfd33554"><br clear="none">> On Feb 24, 2016, at 1:52 PM, Shawn Zhou <<a shape="rect" ymailto="mailto:shawnzhou00@yahoo.com" href="mailto:shawnzhou00@yahoo.com">shawnzhou00@yahoo.com</a>> wrote:<br clear="none">> <br clear="none">> Have anyone seen "Message too long" in dnscap output before?<br clear="none">> I wonder where dnscap gets "Message too long" from.<br clear="none">> <br clear="none">> From dnscap:<br clear="none">> [179] 2016-02-24 18:49:13.195337 [#5936 "some interface" 4095] \<br clear="none">>         [10.145.50.95].53 [10.73.201.188].10074  \<br clear="none">>         dns QUERY,NOERROR,52303,qr|rd|ra \<br clear="none">>         1 pixel2368.everesttech.net,IN,AAAA \<br clear="none">>         1 pixel2368.everesttech.net,IN,CNAME,64,tp00.everesttech.net.akadns.net \<br clear="none">>         1 akadns.net,IN,SOA,19,internal.akadns.net,hostmaster.akamai.com,1456339592,90000,90000,90000,180 0<br clear="none">> [513] 2016-02-24 18:49:13.195401 [#5937 "some interface" 4095] \<br clear="none">>         [10.145.50.95].53 [10.73.201.188].23275  \<br clear="none">>         dns Message too long<br clear="none">> [73] 2016-02-24 18:49:13.195566 [#5938 "some interface" 4095] \<br clear="none">>         [216.145.54.155].26802 [10.145.50.95].53  \<br clear="none">>         dns QUERY,NOERROR,62586,rd \<br clear="none">> <br clear="none">> tcpdump did show that 10.145.50.95 sent the response to 10.73.201.188:<br clear="none">> 18:49:13.195291 IP 10.73.201.188.10074 > 10.145.50.95.53: 52303+ AAAA? pixel2368.everesttech.net. (43)<br clear="none">> 18:49:13.195294 IP 10.145.50.95.53 > 10.73.201.188.51695: 37426 10/10/2 CNAME akamai-pixel.quantserve.com.akadns.net., CNAME px-lax007.quantserve.com.akadns.net., A 64.95.32.44, A 64.95.32.36, A 64.95.32.22, A 64.95.32.23, A 64.95.32.29, A 64.95.32.39, A 64.95.32.47, A 64.95.32.34 (498)<br clear="none">> 18:49:13.195299 IP 10.145.50.95.53 > 10.73.201.188.27723: 63678 2/1/0 CNAME akamai-pixel.quantserve.com.akadns.net., CNAME px-lax007.quantserve.com.akadns.net. (177)<br clear="none">> 18:49:13.195337 IP 10.145.50.95.53 > 10.73.201.188.10074: 52303 1/1/0 CNAME tp00.everesttech.net.akadns.net. (151)<br clear="none">> 18:49:13.195401 IP 10.145.50.95.53 > 10.73.201.188.23275: 58794 2/10/10 CNAME tp00.everesttech.net.akadns.net., A 192.243.232.36 (485)</div><br clear="none">> _______________________________________________<br clear="none">> dnscap-users mailing list<br clear="none">> <a shape="rect" ymailto="mailto:dnscap-users@lists.dns-oarc.net" href="mailto:dnscap-users@lists.dns-oarc.net">dnscap-users@lists.dns-oarc.net</a><br clear="none">> <a shape="rect" href="https://lists.dns-oarc.net/mailman/listinfo/dnscap-users" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dnscap-users</a><div class="yqt2924715007" id="yqtfd63813"><br clear="none"></div><br><br></div>  </div> </div>  </div></div></body></html>