[dns-operations] ncap docs?

[Matthew Pounsett]

On 19-Jan-2009, at 19:54 , Paul Vixie wrote:

>> Is there some more complete documentation for ncaptool than the [-  
>> h]elp
>> output available?  The only man page that comes in the package is  
>> for the
>> ncap library.  In particular I'm hoping to find an explanation of the
>> less obvious components of the text output from ncaptool.
>>
>> Matt
>
> sadly, not.  post your question here and i'll do my best.

Okay..  Here's some sample data I've anonymized.  I don't that should  
make a difference for the things I'm wondering about.. but let me know  
if it does.

[66 nf -] 2009-01-07 16:25:00.689139000 [00000002 cd9ff643] \
	[xxx.xxx.xxx.xxx].53 [xxx.xxx.xxx.xxx].27969 udp \
	dns QUERY,NOERROR,19019,qr|aa|ra \
	1 example.dom,IN,MX \
	1 example.dom,IN,MX,1800,10,mail.example.dom 0 \
	1 mail.example.dom,IN,A,1800,xxx.xxx.xxx.xxx

In the first line, the date and time is obvious.  The first and last  
sets of data enclosed in square braces escape me, though.

In the flags line, can the 'dns' at the beginning be anything else?   
I'm assuming it signifies that ncap is decoding DNS protocol, but I  
thought that's all it did, which would make that field a constant,  
which would seem redundant.  So I suspect my assumption is either  
wrong or incomplete.

In the same line, between NOERROR and the flags, I'm assuming that's  
the QID.

In the answer, what's the zero at the end of the line?

And finally, when there are only three sections, is there a way to  
determine from format the difference between authority and additional,  
or does one just have to assume that a third section with NS records  
in it is authority, and without is additional?

Thanks Paul!
    Matt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090119/c0733931/attachment.sig>