[dnscap-users] dnscap 1.2.0 dropping packets vs version 20160205?

Wessels, Duane dwessels at verisign.com
Wed Nov 30 22:29:35 UTC 2016 

Paul,

I did another little test here with our live traffic.  I ran dnscap-20160205 and dnscap-1.2.0 in two separate windows with these parameters (e.g. 10 time span):

$ sudo ./dnscap -f -m q -s i -i ens1f1 -t 10 -T -w /disk2/tmp/dnscap-old
$ sudo ./dnscap -f -m q -s i -i ens1f1 -t 10 -T -w /disk2/tmp/dnscap-new

Then I counted the number of packets captured in each 10-second file, shown in the table below.  In most cases the newer v1.2.0 wins by a little:

start time       v20160205    v1.2.0
---------------  ---------  --------
20161130.221220     841709    938803
20161130.221230     913349    948758
20161130.221240     813905    839441
20161130.221250     766642    812000
20161130.221300     671017    729540
20161130.221310     748825    760573
20161130.221320     759913    766256
20161130.221330     777853    771760

DW

> On Nov 30, 2016, at 12:08 AM, Paul Vlaar <paul at flairlab.nl> wrote:
> 
> Hi Duane,
> 
> On 30/11/16 02:22, Wessels, Duane wrote:
>> Nice to hear from you :-)
> 
> Thanks :)
> 
>> First I used a simple program to just send 1,000,000 DNS queries as
>> fast as it could (takes about 2 seconds) from one machine to another
>> on the same LAN. These are just identical UDP queries, not real
>> traffic. The receiving machine where dnscap runs is RHEL 7.
> 
> I'm running all of this on the same Ubuntu 14.04 machine. This is live
> traffic for a TLD.
> 
> -snip-
> 
>> So they are about the same.
> 
> Interesting. I'd be keen to know if you get the same result when you
> throw actual or recorded traffic at it. I'm now suspecting the new
> version may be choking on certain queries.
> 
> I can't think of why this query:
> 
> [74] 2016-11-29 20:00:59.780750 [#14269
> dnscap-20160205.20161129.200000.001788 4095] \
>        [removed].42341 [removed].53  \
>        dns QUERY,NOERROR,51967 \
>        1 tHEFOODWorKS.inFO,IN,A 0 0 \
>        1 .,4096,4096,32768,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=1,z=0] \
> 
> ... wasn't recorded by 1.2.0 and everything else until:
> 
> [62] 2016-11-29 20:01:00.405206 [#11270
> dnscap-1.2.0.20161129.200000.292235 4095] \
>        [removed].43899 [removed].53  \
>        dns QUERY,NOERROR,7779 \
>        1 nS3.MazUrEK.Info,IN,A 0 0 0
> 
> The preceding query that was still recored by both versions:
> 
> [97] 2016-11-29 20:00:59.767635 [#11269
> dnscap-1.2.0.20161129.200000.292235 4095] \
>        [removed].63684 [removed].53  \
>        dns QUERY,NOERROR,43970 \
>        1 thecreperiecafe.info,IN,AAAA 0 0 \
>        1 .,4096,4096,32768,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=1,z=0] \
> 
> ... looks very similar to the one that was dropped.
> 
> I guess I'll have to do some more digging to figure this one out. I
> still think you may need to test this with real traffic in order to
> reproduce. And maybe try it on mostly stock Ubuntu 14.04 as well.
> 
> For now, I'm resorting to using version 20160205 on all the places where
> I'm using dnscap.
> 
> 	~paul
> 
> -- 
> Paul Vlaar - FlairLab
> Internet engineering, consultancy
> Dutch Chamber of Commerce 63553104

More information about the dnscap-users mailing list