[dns-operations] ncap docs?

Matthew Pounsett Matt.Pounsett at cira.ca
Tue Jan 20 04:45:46 UTC 2009


On 19-Jan-2009, at 22:55 , Paul Vixie wrote:

>> Okay..  Here's some sample data I've anonymized.  I don't that should
>> make a difference for the things I'm wondering about.. but let me  
>> know if
>> it does.
>>
>> [66 nf -] 2009-01-07 16:25:00.689139000 [00000002 cd9ff643] \
>> 	[xxx.xxx.xxx.xxx].53 [xxx.xxx.xxx.xxx].27969 udp \
>> 	dns QUERY,NOERROR,19019,qr|aa|ra \
>> 	1 example.dom,IN,MX \
>> 	1 example.dom,IN,MX,1800,10,mail.example.dom 0 \
>> 	1 mail.example.dom,IN,A,1800,xxx.xxx.xxx.xxx
>>
>> In the first line, the date and time is obvious.  The first and last
>> sets of data enclosed in square braces escape me, though.
>
> that's user1 and user2, which are mentioned in ncap(3).  you must have

Okay.. that's the second set of data in brackets.  What is the first  
(at the beginning of the line?)

>
> got this sample from ISC SIE since our custom is to use user2 to  
> contain
> the hash of the submitter's authorized_keys file.  therefore i know  
> which
> member's data that was before you anonymized it.  :-).

Heh.  It is indeed.  :)

> yes.  in dump_dns.c, as contained in both the dnscap and ncap  
> tarballs,
> the function dump_dns() looks like this:

Ah, okay thanks for the pointer to the right place in the code.  My C  
is extremely rusty.. it would have taken me forever to find that.

>> In the answer, what's the zero at the end of the line?
>
> each dump_dns_sect() as shown above emits a number which is the  
> count of
> records in a section.  the 0 you're seeing after the answer is  
> telling you
> that the authority section is empty.

That answers my next question, then (even though you went on to answer  
it in more detail anyway .. thanks!).

> i did it this way deliberately so that i wouldn't waste a newline on  
> an
> empty section.  obviously this whole format is designed to be read  
> by a
> perl script rather than a human.  the "ncaptool-dnsparse.pl" script in
> the ncap source tarball is such a script if you want a starting point.

I'll have a look at that.

Thanks for the new detail!
Matt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090119/14f1ab84/attachment.sig>


More information about the dns-operations mailing list