[dns-operations] ncap docs?
Matt.Pounsett at cira.ca
Tue Jan 20 02:29:02 UTC 2009
On 19-Jan-2009, at 19:54 , Paul Vixie wrote:
>> Is there some more complete documentation for ncaptool than the [-
>> output available? The only man page that comes in the package is
>> for the
>> ncap library. In particular I'm hoping to find an explanation of the
>> less obvious components of the text output from ncaptool.
> sadly, not. post your question here and i'll do my best.
Okay.. Here's some sample data I've anonymized. I don't that should
make a difference for the things I'm wondering about.. but let me know
if it does.
[66 nf -] 2009-01-07 16:25:00.689139000 [00000002 cd9ff643] \
[xxx.xxx.xxx.xxx].53 [xxx.xxx.xxx.xxx].27969 udp \
dns QUERY,NOERROR,19019,qr|aa|ra \
1 example.dom,IN,MX \
1 example.dom,IN,MX,1800,10,mail.example.dom 0 \
In the first line, the date and time is obvious. The first and last
sets of data enclosed in square braces escape me, though.
In the flags line, can the 'dns' at the beginning be anything else?
I'm assuming it signifies that ncap is decoding DNS protocol, but I
thought that's all it did, which would make that field a constant,
which would seem redundant. So I suspect my assumption is either
wrong or incomplete.
In the same line, between NOERROR and the flags, I'm assuming that's
In the answer, what's the zero at the end of the line?
And finally, when there are only three sections, is there a way to
determine from format the difference between authority and additional,
or does one just have to assume that a third section with NS records
in it is authority, and without is additional?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the dns-operations