[dns-operations] ncap docs?
Matt.Pounsett at cira.ca
Tue Jan 20 04:45:46 UTC 2009
On 19-Jan-2009, at 22:55 , Paul Vixie wrote:
>> Okay.. Here's some sample data I've anonymized. I don't that should
>> make a difference for the things I'm wondering about.. but let me
>> know if
>> it does.
>> [66 nf -] 2009-01-07 16:25:00.689139000 [00000002 cd9ff643] \
>> [xxx.xxx.xxx.xxx].53 [xxx.xxx.xxx.xxx].27969 udp \
>> dns QUERY,NOERROR,19019,qr|aa|ra \
>> 1 example.dom,IN,MX \
>> 1 example.dom,IN,MX,1800,10,mail.example.dom 0 \
>> 1 mail.example.dom,IN,A,1800,xxx.xxx.xxx.xxx
>> In the first line, the date and time is obvious. The first and last
>> sets of data enclosed in square braces escape me, though.
> that's user1 and user2, which are mentioned in ncap(3). you must have
Okay.. that's the second set of data in brackets. What is the first
(at the beginning of the line?)
> got this sample from ISC SIE since our custom is to use user2 to
> the hash of the submitter's authorized_keys file. therefore i know
> member's data that was before you anonymized it. :-).
Heh. It is indeed. :)
> yes. in dump_dns.c, as contained in both the dnscap and ncap
> the function dump_dns() looks like this:
Ah, okay thanks for the pointer to the right place in the code. My C
is extremely rusty.. it would have taken me forever to find that.
>> In the answer, what's the zero at the end of the line?
> each dump_dns_sect() as shown above emits a number which is the
> count of
> records in a section. the 0 you're seeing after the answer is
> telling you
> that the authority section is empty.
That answers my next question, then (even though you went on to answer
it in more detail anyway .. thanks!).
> i did it this way deliberately so that i wouldn't waste a newline on
> empty section. obviously this whole format is designed to be read
> by a
> perl script rather than a human. the "ncaptool-dnsparse.pl" script in
> the ncap source tarball is such a script if you want a starting point.
I'll have a look at that.
Thanks for the new detail!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the dns-operations